HPE FlexNetwork MSR Series Comware 5 Security Configuration Manual page 251

[RouterB-ipsec-policy-isakmp-map1-1] transform-set transform_b
[RouterB-ipsec-policy-isakmp-map1-1] quit
8. Assign an IP address to interface Ethernet 1/2.
[RouterB] interface ethernet 1/2
[RouterB-Ethernet1/2] ip address 10.1.2.1 255.255.255.0
[RouterB-Ethernet1/2] quit
9. Assign an IP address to interface Ethernet 1/1.
[RouterB] interface ethernet 1/1
[RouterB-Ethernet1/1] ip address 2.2.2.2 255.255.0.0
10. Apply the IPsec policy group on interface Ethernet 1/1.
[RouterB-Ethernet1/1] ipsec policy map
[RouterB-Ethernet1/1] quit
11. Configure a static route to subnet 10.1.1.0/24.
[RouterB] ip route-static 10.1.1.0 255.255.255.0 1.1.1.1
Verifying the configuration
When traffic between subnet 10.1.1.0/24 and subnet 10.1.2.0/24 goes through Router A and Router
B, IKEv2 negotiation should be triggered. You can check whether the configurations on the routers
are as expected and whether the expected IKEv2 SAs and IPsec SAs have been established.
Take Router A as an example:
# Display the IKEv2 proposal configuration information.
[RouterA] display ikev2 proposal
IKEv2 proposal : proposal_a
Encryption
Integrity
PRF
DH Group
IKEv2 proposal : default
Encryption
Integrity
PRF
DH Group
# Display the IKEv2 profile configuration information.
[RouterA] display ikev2 profile
IKEv2 profile
Match
Identity
Auth type
Keyring
Sign domain
Verify domain : domain_b
: AES-CBC-192
: MD5
: MD5
: MODP1024/Group 2
: AES-CBC-128
3DES-CBC
: SHA1
MD5
: SHA1
MD5
: MODP1536/Group 5
MODP1024/Group 2
: profile_a
: match address local interface Ethernet1/1
: identity local dn
: authentication local rsa-sig
authentication remote pre-share
authentication remote rsa-sig
:
: domain_a
238