HP 10500 Series Configuration Manual page 316

The remote IP address configured on the local end must be the same as the IP address of the remote
•
end.
At each end, configure parameters for both the inbound SA and the outbound SA and make sure
•
that different SAs use different SPIs.
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true
•
of the local outbound SA and remote inbound SA.
The keys for the local and remote inbound and outbound SAs must be in the same format. For
•
example, if the local inbound SA uses a key in characters, the local outbound SA and remote
inbound and outbound SAs must use keys in characters.
Before you configure a manual IPsec policy, configure ACLs used for identifying protected traffic and
IPsec transform sets.
To configure a manual IPsec policy:
Step
1. Enter system view.
2. Create a manual IPsec
policy and enter its view.
3. Assign an ACL to the
IPsec policy.
4. Assign an IPsec
transform set to the IPsec
policy.
5. Configure the local
address of the IPsec
tunnel.
6. Configure the remote
address of the IPsec
tunnel.
7. Configure an SPI for an
SA.
Command
system-view
ipsec policy policy-name seq-number
manual
security acl acl-number
transform-set transform-set-name
tunnel local ip-address
tunnel remote ip-address
sa spi { inbound | outbound } { ah | esp }
spi-number
306
Remarks
N/A
By default, no IPsec policy exists.
Required.
The ACL supports match criteria
of the VPN attribute.
An IPsec policy can reference
only one ACL. If you apply
multiple ACLs to an IPsec policy,
only the last one takes effect.
By default, an IPsec policy
references no IPsec transform set.
A manual IPsec policy can
reference only one IPsec
transform set. To change an IPsec
transform set for an IPsec policy,
you must remove the reference
first.
Required.
Not configured by default.
Required.
Not configured by default.
By default, no SPI is configured.