Aggressive Mode With Rsa Signature Authentication Configuration Example - HP MSR2000 Configuration Manual

Flow:
sour addr: 10.1.1.0/255.255.255.0
dest addr: 10.1.2.0/255.255.255.0
[Inbound ESP SAs]
SPI: 3264152513 (0xc28f03c1)
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max received sequence-number:
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: active
[Outbound ESP SAs]
SPI: 738451674 (0x2c03e0da)
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max received sequence-number:
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: active
# Use the same command to verify the IKE SA and IPsec SA on Device B. (Details not shown.)
Aggressive mode with RSA signature authentication
configuration example
This configuration example does not apply when the device operates in FIPS mode.
Network requirements
As shown in
B to secure the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
Configure Device A and Device B to use aggressive mode for IKE negotiation phase 1 and use RSA
signature authentication. Device A acts as the initiator because the subnet where Device A resides is
dynamically allocated.
Figure 52 Network diagram
Configuration procedure
1. Configure Device A:
# Assign an IP address to each interface. (Details not shown.)
# Configure ACL 3101 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
<DeviceA> system-view
[DeviceA] acl number 3101
Figure 52, configure an IPsec tunnel that uses IKE negotiation between Device A and Deice
port: 0 protocol: IP
port: 0 protocol: IP
194