HP 12500 Series Configuration Manual page 181

rule 0 permit ip source 1.1.2.0 0.0.0.255 destination 3.3.3.0 0.0.0.255
rule 1 deny ip
#
ipsec policy test 1 isakmp
security acl 3000
ike-peer aa
proposal 1
#
ipsec policy test 2 isakmp
security acl 3001
ike-peer bb
proposal 1
Configure Switch B:
•
acl number 3001
rule 0 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.2.0 0.0.0.255
rule 1 deny ip
#
ipsec policy test 1 isakmp
security acl 3001
ike-peer aa
proposal 1
Configuring ACL rules
To make sure that SAs can be set up and the traffic protected by IPsec can be processed correctly at the
remote peer, on the remote peer, create a mirror image ACL rule for each ACL rule created at the local
peer. As shown in
sure that SAs can be created successfully for the traffic between Host A and Host C and the traffic
between Network 1 and Network 2.
Figure 62 Mirror image ACLs
Host A
1.1.1.1
Network 1
1.1.1.0/24
Host B
If the ACL rules on peers do not form mirror images of each other, SAs can be set up only when both of
the following requirements are met:
The range specified by an ACL rule on one peer is covered by its counterpart ACL rule on the other
•
peer. As shown in
by its counterpart on Switch B.
Figure 62, ACL rules on Switch B are mirror images of the rules on Switch A. This makes
ACL1: rule permit 1.1.1.1 -> 2.2.2.2
ACL2: rule permit 1.1.1.0/24 -> 2.2.2.0/24
GE3/0/1
IP network
Switch A
ACL1: rule permit 2.2.2.2 -> 1.1.1.1
ACL2: rule permit 2.2.2.0/24 -> 1.1.1.0/24
Mirror image ACLs at Switch A GE3/0/1 and Switch B GE3/0/2
Figure 63, the range specified by the ACL rule configured on Switch A is covered
GE3/0/2
Switch B
171
Host C
2.2.2.2
Network 2
2.2.2.0/24
Host D