HP VSR1000: How to configure a IPsec tunnel

This posting is ~6 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

One possible use case for the HP VSR1000 is to build IPsec tunnels for secure data transfer. In this post I will show you how to configure a IPsec tunnel between two HP VSR1000. If you need a short introduction, feel free to take a look at this article.

The experimental setup

We have two server VMs (in this case Windows Server 2008 R2 with SP1) and two HP VSR1000 Virtual Service Router. To simplify I added a vSwitch without uplinks to my ESXi at home. This vSwitch has three port groups. While each VSR1000 is connected to only one site and the WAN port group, the server VMs are only connected to one site. The WAN port group should simulate the WAN link, but in reality WAN can be anything. This is a screenshot of the ESXi vSwitch and port group configuration, as well as the logical setup.


Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0


Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Site A uses the subnet Site B uses the subnet The subnet is used on the WAN side. The ip addressing looks like this:

Site A
Site B

The VSR1000 uses HP Comware 7.1, so it’s possible that the IPsec configuration differs from Comware 5.

The configuration

I’ve described the initial configuration of a VSR in this article. So in this article I focus on the configuration of the IPsec tunnel itself. First of all we need to configure the interfaces. On VSR1 (the first router):

 And on VSR2 (the second router)

Sure, we could setup a small single area OSPF, but for now a static routing is sufficient. These two routes allow us to reach the other side. There is currently no default route (gateway of last resort). On VSR1:

And on VSR2:

I will show you how to configure a ACL-based IPsec tunnel. This happens in three steps:

  • Create an ACL
  • Create a IPsec policy
  • Apply the policy to an interface

The first step is to configure ACLs. These ACLs are used to determine what kind of traffic should be protected. The ACL number 3000 determines, that this is an advanced ACL (ACL number 3000 – 3999). The ACL consists of multiple rules, in this case two rules and a comment. The rules define, that every traffic from to (and vice versa) should be permitted. All other traffic will be denied. On VSR1:

And on VSR2:

The next steps are to configure the transform set, the keychain, an IKE profile and an IPsec policy. The transform set is part of the IPsec policy and defines the security parameters for the IPsec SA negotiation. This includes the security protocol (AH, ESP), the encapsulation mode and the encryption and authentication algorithms. Because this is a site-2-site VPN the encapsulation mode “tunnel” is used. On VSR1:

An on VSR2:

Now the keychain is configured. The keychain includes the pre-shared key. On VSR1:

And on VSR2:

The pre-shared key is displayed encrypted in the configuration, even if it’s entered here in plain text format. The next step is to configure the IKE profile. In this example it’s simply called “1”. You can give it another name if you like. The IKE profile links the identity of the remote VSR and the keychain. On VSR1:

And on VSR2:

Now the second step (creating an IPsec policy) comes to an end. The IPsec policy links the transform set, the IKE profle and the ACL together. The 10 is the sequence number. You can choose another sequence number if you like. You can also choose another name. I named my policy “policy1”. On VSR1:

And on VSR2:

The last step is to apply the IPsec policy to an interface. On VSR1:

And on VSR2:

The result

Once the traffic comes, the IPsec tunnel is established. You can verify this with this command:

That’s it!  :) If you are looking for more, take a look into the HP VSR1000 configuration guides. This is a 18 MB (!) PDF which covers all aspects of the VSR1000 and it includes a lot of configuration examples.

Patrick Terlisten
Follow me

2 thoughts on “HP VSR1000: How to configure a IPsec tunnel

  1. Brian Crafton

    This is the best explanation of IPsec tunneling I have seen and I have been looking for days now. This has me almost where I need to be. Could you explain how to add a 3rd site to this equation. IE a VSR3 tunneling back to VSR1 using the same GE interface on VSR1. Is this possible? Essentially this would be site to site and I am needing to do site to multi site over a single WAN connection. at site 1. Sites 2 and 3 do not have to talk to each other.

    1. Patrick Terlisten Post author

      Hi Brian. Adding a third site to my example is not hard. The pair site1 site2 is exactly what I have posted in my artice. To add a third router, you simply have to create a second pair, in this case site1 site3. But remember: GRE tunnels are not used in my example! It’s IPSec.


Leave a Reply

Your email address will not be published. Required fields are marked *