Verification – H3C Technologies H3C SecPath F1000-E User Manual
Page 163

35
# Create an IPsec proposal named tran1, and set the encapsulation mode to transport mode, the security
protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1-HMAC-96.
[DeviceC] ipsec proposal tran1
[DeviceC-ipsec-proposal-tran1] encapsulation-mode transport
[DeviceC-ipsec-proposal-tran1] transform esp
[DeviceC-ipsec-proposal-tran1] esp encryption-algorithm des
[DeviceC-ipsec-proposal-tran1] esp authentication-algorithm sha1
[DeviceC-ipsec-proposal-tran1] quit
# Create an IPsec policy named policy001, specify the manual mode for it, and configure the SPIs of the
inbound and outbound SAs as 123456, and the keys for the inbound and outbound SAs using ESP as
abcdefg.
[DeviceC] ipsec policy policy001 10 manual
[DeviceC-ipsec-policy-manual-policy001-10] proposal tran1
[DeviceC-ipsec-policy-manual-policy001-10] sa spi outbound esp 12345
[DeviceC-ipsec-policy-manual-policy001-10] sa spi inbound esp 12345
[DeviceC-ipsec-policy-manual-policy001-10] sa string-key outbound esp abcdefg
[DeviceC-ipsec-policy-manual-policy001-10] sa string-key inbound esp abcdefg
[DeviceC-ipsec-policy-manual-policy001-10] quit
# Apply IPsec policy policy001 to the RIPng process.
[DeviceC] ripng 1
[DeviceC-ripng-1] ipsec-policy policy001
[DeviceC-ripng-1] quit
Verification
After above configuration, Device A, Device B, and Device C learn IPv6 routing information through
RIPng. SAs are set up successfully, and the IPsec tunnel between two peers is up for protecting the RIPng
packets.
Using the display ripng command on Device A, you will see the running status and configuration
information of the specified RIPng process. The output shows that IPsec policy policy001 is applied to this
process successfully.
RIPng process : 1
Preference : 100
Checkzero : Enabled
Default Cost : 0
Maximum number of balanced paths : 8
Update time : 30 sec(s) Timeout time : 180 sec(s)
Suppress time : 120 sec(s) Garbage-Collect time : 120 sec(s)
Number of periodic updates sent : 186
Number of trigger updates sent : 1
IPsec policy name: policy001, SPI: 12345
Using the display ipsec sa command on Device A, you will see the information about the inbound and
outbound SAs.
===============================
Protocol: RIPng
===============================