Implementing IPSec Network Security on Cisco IOS XR Software
How to Implement IPSec Network Security for Locally Sourced and Destined Traffic
SC-130
Cisco IOS XR System Security Configuration Guide
Be sure to define which packets to protect. If you must use the any keyword in a permit statement, you
must preface that statement with a series of deny statements to filter any traffic (that would otherwise
fall within that permit statement) that you do not want to be protected.
Applying Crypto Profiles to tunnel-ipsec Interfaces
This task applies a crypto IPsec profile to a tunnel-ipsec interface.
You must apply a crypto profile to each tunnel-ipsec interface through which IPSec traffic flows.
Applying the crypto profile set to a tunnel-ipsec interface instructs the router to evaluate all the
interface’s traffic against the crypto profile set and to use the specified policy during connection or SA
negotiation on behalf of traffic to be protected by crypto.
SUMMARY STEPS
1. configure
2. interface tunnel-ipsec interface-number
3. profile profile-name
4. tunnel source ip-address
5. tunnel destination ip-address
6. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1
configure
Example:
RP/0/RP0/CPU0:router# configure interface
Enters global configuration mode.
Step 2
interface tunnel-ipsec
interface-number
Example:
RP/0/RP0/CPU0:router(config)# interface
tunnel-ipsec 0
Identifies the IPSec interface to which the crypto profile is
attached.
You can use the interface tunnel-ipsec command to enter
tunnel-ipsec interface configuration mode.
Step 3
profile
profile-name
Example:
RP/0/RP0/CPU0:router(config-if)# profile
sample1
Specifies the crypto profile to use in IPSec processing.
• The same crypto profile cannot be shared in different
IPSec modes.
Step 4
tunnel source
ip-address
Example:
RP/0/RP0/CPU0:router(config-if)# tunnel source
10.0.0.2
Specifies the tunnel source IP address.
• This command is required for both static and dynamic
profiles.
To Next Page
Loading...
Need help?
General
