Implementing IPSec Network Security on Cisco IOS XR Software
Configuration Examples for Implementing IPSec Network Security for Locally Sourced Traffic and Destined Traffic
SC-141
Cisco IOS XR System Security Configuration Guide
A transform set defines how the traffic is protected. In this example, transform set myset1 uses Data
Encryption Standard (DES) encryption and Secure Hash Algorithm (SHA) for data packet
authentication:
crypto ipsec transform-set myset1
transform esp-des esp-sha
Another transform set example is myset2, which uses 3DES encryption and the Message Digest 5 (MD5)
(Hashed Message Authentication Code [HMAC] variant) algorithm for data packet authentication:
crypto ipsec transform-set myset2
transform esp-3des esp-md5-hmac
A crypto profile named toRemoteSite is created and joins the IPSec access list and transform set:
crypto ipsec profile toRemoteSite
match sample1 transform-set myset1
end
The toRemoteSite crypto profile is then applied to a tunnel-ipsec interface:
interface tunnel-ipsec0
profile toRemoteSite
tunnel source 10.0.0.2
tunnel destination 10.0.0.5
Configuring a Dynamic Profile and Attaching to a Tunnel-ipsec Interface:
Example
The following example shows a minimal IPSec configuration where a dynamic crypto profile is created
and attached to a tunnel-ipsec interface.
An IPSec access list named sample2 defines which traffic to protect:
ipv4 access-list sample2 permit ip 10.0.0.0 0.0.0.255 10.2.2.0 0.0.0.255
A transform set defines how the traffic is protected. In this example, transform set myset2 uses DES
encryption and SHA for data packet authentication:
crypto ipsec transform-set myset2
transform esp-des esp-sha
Another transform set example is myset3, which uses 3DES encryption and MD5 (HMAC variant) for
data packet authentication:
crypto ipsec transform-set myset3
transform esp-3des esp-md5-hmac
A dynamic crypto profile named toRemoteSite is created and joins the IPSec access list and transform
set:
crypto ipsec profile toRemoteSite
match sample2 transform-set myset3
set type dynamic discover
end
The toRemoteSite profile is applied to a tunnel-ipsec interface:
interface tunnel-ipsec0
profile toRemoteSite
tunnel source 10.0.0.2
The tunnel destination is not required when the profile is dynamic.
To Next Page
Loading...
