Huawei S9700 Series Configuration Manual page 145

S9700 Core Routing Switch
Configuration Guide - SPU
[SPU] ipsec proposal tran1
[SPU-ipsec-proposal-tran1] encapsulation-mode tunnel
[SPU-ipsec-proposal-tran1] transform esp
[SPU-ipsec-proposal-tran1] esp encryption-algorithm des
[SPU-ipsec-proposal-tran1] esp authentication-algorithm sha1
[SPU-ipsec-proposal-tran1] quit
Run the display ipsec proposal command on the SPUs of SwitchA and SwitchB to view the
configuration of the IPSec proposals. Take the display on the SPU of SwitchA as an example.
[SPU] display ipsec proposal
Number of Proposals: 1
IPsec Proposal Name: tran1
Encapsulation mode: Tunnel
Transform
ESP protocol
Step 5 Create IPSec policies on the SPUs of SwitchA and SwitchB.
# Configure an IPSec policy on the SPU of SwitchA.
[SPU] ipsec policy map1 10 manual
[SPU-ipsec-policy-manual-map1-10] security acl 3101
[SPU-ipsec-policy-manual-map1-10] proposal tran1
[SPU-ipsec-policy-manual-map1-10] tunnel remote 202.38.162.1
[SPU-ipsec-policy-manual-map1-10] tunnel local 202.38.163.1
[SPU-ipsec-policy-manual-map1-10] sa spi outbound esp 12345
[SPU-ipsec-policy-manual-map1-10] sa spi inbound esp 54321
[SPU-ipsec-policy-manual-map1-10] sa string-key outbound esp abcdefg
[SPU-ipsec-policy-manual-map1-10] sa string-key inbound esp gfedcba
[SPU-ipsec-policy-manual-map1-10] quit
# Configure an IPSec policy on SwitchB.
[SPU] ipsec policy use1 10 manual
[SPU-ipsec-policyl-manual-use1-10] security acl 3101
[SPU-ipsec-policyl-manual-use1-10] proposal tran1
[SPU-ipsec-policyl-manual-use1-10] tunnel remote 202.38.163.1
[SPU-ipsec-policyl-manual-use1-10] tunnel local 202.38.162.1
[SPU-ipsec-policyl-manual-use1-10] sa spi outbound esp 54321
[SPU-ipsec-policyl-manual-use1-10] sa spi inbound esp 12345
[SPU-ipsec-policyl-manual-use1-10] sa string-key outbound esp gfedcba
[SPU-ipsec-policyl-manual-use1-10] sa string-key inbound esp abcdefg
[SPU-ipsec-policyl-manual-use1-10] quit
Run the display ipsec policy command on the SPUs of SwitchA and SwitchB to view the
configuration of the IPSec policies. Take the display on the SPU of SwitchA as an example.
[SPU] display ipsec policy
===========================================
IPsec Policy Group: "map1"
Using interface: {XGigabitEthernet0/0/1.1}
===========================================
Issue 01 (2012-03-15)
: esp-new
: Authentication SHA1-HMAC-96
Encryption
SequenceNumber: 10
Security data flow: 3101
Tunnel local address: 202.38.163.1
Tunnel remote address: 202.38.162.1
Proposal name:tran1
Inbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 54321 (0xd431)
ESP string-key: gfedcba
ESP encryption hex key:
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
DES
4 IPSec Configuration
134