Cisco IOS XR

To Next Page

To Previous Page

Implementing IPSec Network Security on Cisco IOS XR Software

Configuration Examples for an IPSec Network with a Cisco IPSec VPN SPA

SC-142

Cisco IOS XR System Security Configuration Guide

Configuring a Static Profile and Attaching to Transport: Example

The following example shows a minimal IPSec configuration in which a static profile is created and

attached to a transport.

An IPSec access list named sample3 defines which traffic to protect:

ipv4 access-list sample3 permit ip 10.0.0.0 0.0.0.255 10.2.2.0 0.0.0.255

A transform set defines how the traffic is protected. In this example, transform set myset1 uses DES

encryption and SHA for data packet authentication:

crypto ipsec transform-set myset1

transform esp-des esp-sha

Another transform set example is myset2, which uses 3DES encryption and the MD5 (HMAC variant)

for data packet authentication:

crypto ipsec transform-set myset2

transform esp-3des esp-md5-hmac

A crypto profile named toRemoteSite is created and joins the IPSec access list and transform set:

crypto ipsec profile toRemoteSite

match sample3 transform-set myset2

end

The toRemoteSite profile is applied to a transport:

crypto ipsec transport

profile toRemoteSite

end

Configuration Examples for an IPSec Network with a

Cisco IPSec VPN SPA

This section provides the following configuration examples:

• Configuring IPSec for a VRF-aware Service-ipsec Interface: Example, page SC-142

• Configuring a Service-gre Interface: Example, page SC-145

Configuring IPSec for a VRF-aware Service-ipsec Interface: Example

The following example shows an IPSec configuration of a VRF-aware service-ipsec interface with a

crypto IPSec profile that uses RRI.

The interface service-ipsec command is set to 1 and is part of the customer_1 VRF. FVRF is the global

VRF (default). Clear traffic is coming from customer_1 VRF with a source IP address 100.0.1.0/24 and

is destined to 30.0.1.0/24, which is encrypted and sent over to the global VRF. Respectively, the

encrypted traffic from 30.0.1.0/24 is destined to 100.0.1.0/24 and is encrypted on the remote site or host

and decrypted on the router.

Configuring VRF

vrf customer_1

address-family ipv4 unicast

Related product manuals