Name: Cisco IOS XR
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

Implementing IPSec Network Security on Cisco IOS XR Software

Configuration Examples for an IPSec Network with a Cisco IPSec VPN SPA

SC-142

Cisco IOS XR System Security Configuration Guide

Configuring a Static Profile and Attaching to Transport: Example

The following example shows a minimal IPSec configuration in which a static profile is created and

attached to a transport.

An IPSec access list named sample3 defines which traffic to protect:

ipv4 access-list sample3 permit ip 10.0.0.0 0.0.0.255 10.2.2.0 0.0.0.255

A transform set defines how the traffic is protected. In this example, transform set myset1 uses DES

encryption and SHA for data packet authentication:

crypto ipsec transform-set myset1

transform esp-des esp-sha

Another transform set example is myset2, which uses 3DES encryption and the MD5 (HMAC variant)

for data packet authentication:

crypto ipsec transform-set myset2

transform esp-3des esp-md5-hmac

A crypto profile named toRemoteSite is created and joins the IPSec access list and transform set:

crypto ipsec profile toRemoteSite

match sample3 transform-set myset2

end

The toRemoteSite profile is applied to a transport:

crypto ipsec transport

profile toRemoteSite

end

Configuration Examples for an IPSec Network with a

Cisco IPSec VPN SPA

This section provides the following configuration examples:

• Configuring IPSec for a VRF-aware Service-ipsec Interface: Example, page SC-142

• Configuring a Service-gre Interface: Example, page SC-145

Configuring IPSec for a VRF-aware Service-ipsec Interface: Example

The following example shows an IPSec configuration of a VRF-aware service-ipsec interface with a

crypto IPSec profile that uses RRI.

The interface service-ipsec command is set to 1 and is part of the customer_1 VRF. FVRF is the global

VRF (default). Clear traffic is coming from customer_1 VRF with a source IP address 100.0.1.0/24 and

is destined to 30.0.1.0/24, which is encrypted and sent over to the global VRF. Respectively, the

encrypted traffic from 30.0.1.0/24 is destined to 100.0.1.0/24 and is encrypted on the remote site or host

and decrypted on the router.

Configuring VRF

vrf customer_1

address-family ipv4 unicast

Questions and Answers:

Need help?

Do you have a question about the Cisco IOS XR and is the answer not in the manual?

Cisco IOS XR Specifications

General

Operating System	Cisco IOS XR
Architecture	Microkernel
High Availability	Yes
Type	Network operating system
Developed by	Cisco Systems
License	Proprietary
Programming Language	C, C++
Kernel	QNX
Supported Platforms	Cisco ASR9000, NCS series
Security Features	Role-Based Access Control (RBAC), Secure Boot, Encryption
Management Interface	CLI, SNMP, NETCONF, RESTCONF
Release Date	2004
Target Devices	High-end core routers, service provider edge routers, data center interconnect (DCI) routers
Supported Hardware	Cisco routers and switches
Networking Protocols	BGP, OSPF, IS-IS, MPLS
Virtualization Support	Virtualization-ready, supports network function virtualization (NFV) and containerization technologies.