HP MSR2000 Configuration Manual page 181

# Create an IKE-based IPsec policy named use1, with the sequence number as 10.
[RouterB] ipsec ipv6-policy use1 10 isakmp
# Apply ACL 3101.
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] security acl ipv6 3101
# Apply the IPsec transform set tran1.
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] transform-set tran1
# Specify the local and remote IPv6 addresses of the IPsec tunnel as 222::1 and 111::1.
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] local-address ipv6 222::1
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] remote-address ipv6 111::1
# Apply the IKE profile profile1.
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] ike-profile profile1
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] quit
# Apply the IPsec policy use1 to interface Ethernet 1/2.
[RouterB] interface ethernet 1/2
[RouterB-Ethernet1/2] ipv6 address 222::1/64
[RouterB-Ethernet1/2] ipsec apply policy use1
[RouterB-Ethernet1/2] quit
Verifying the configuration
After the previous configurations, IKE negotiation is triggered to set up IPsec SAs when there is traffic
between subnet 333::/64 and subnet 555::/64. After IPsec SAs are successfully negotiated by IKE, the
traffic between the two subnets is IPsec protected.
Use the display ipsec sa command to display IPsec SAs on Router A and Router B. Take Router A as an
example:
[RouterA] display ipsec sa
-------------------------------
Interface: Ethernet1/2
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: isakmp
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Path MTU: 1423
Tunnel:
local
remote address: 222::1
Flow:
sour addr: 111::1/0
dest addr: 222::1/0
[Inbound ESP SAs]
SPI: 3769702703 (0xe0b1192f)
address: 111::1
port: 0
port: 0
protocol: IPv6
protocol: IPv6
170