H3C Technologies H3C S12500-X Series Switches User Manual

145

Figure 43 Network diagram

472B

Configuration procedure

1.

Configure Switch A:
# Configure an IP address for VLAN-interface 1.

system-view

[SwitchA] interface vlan-interface 1

[SwitchA-Vlan-interface1] ip address 2.2.2.1 255.255.255.0

[SwitchA-Vlan-interface1] quit

# Define an ACL to identify data flows between Switch A and Switch B.

[SwitchA] acl number 3101

[SwitchA-acl-adv-3101] rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0

[SwitchA-acl-adv-3101] quit

# Create an IPsec transform set named tran1.

[SwitchA] ipsec transform-set tran1

# Specify the encapsulation mode as tunnel.

[SwitchA-ipsec-transform-set-tran1] encapsulation-mode tunnel

# Specify the security protocol as ESP.

[SwitchA-ipsec-transform-set-tran1] protocol esp

# Specify the ESP encryption and authentication algorithms.

[SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192

[SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1

[SwitchA-ipsec-transform-set-tran1] quit

# Create a manual IPsec policy entry, with the policy name map1 and sequence number 10.

[SwitchA] ipsec policy map1 10 manual

# Apply ACL 3101.

[SwitchA-ipsec-policy-manual-map1-10] security acl 3101

# Apply the IPsec transform set tran1.

[SwitchA-ipsec-policy-manual-map1-10] transform-set tran1

# Specify the remote IP address of the IPsec tunnel as 2.2.3.1.

[SwitchA-ipsec-policy-manual-map1-10] remote-address 2.2.3.1

# Configure inbound and outbound SPIs for ESP.

[SwitchA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345

[SwitchA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321

# Configure the inbound and outbound SA keys for ESP.

[SwitchA-ipsec-policy-manual-map1-10] sa string-key outbound esp simple abcdefg

[SwitchA-ipsec-policy-manual-map1-10] sa string-key inbound esp simple gfedcba

[SwitchA-ipsec-policy-manual-map1-10] quit

# Apply the IPsec policy map1 to VLAN-interface 1.

[SwitchA] interface vlan-interface 1