Implementing IPSec Network Security on Cisco IOS XR Software
Configuration Examples for an IPSec Network with a Cisco IPSec VPN SPA
SC-143
Cisco IOS XR System Security Configuration Guide
import route-target
100:1000
!
export route-target
100:1000
!
!
!
Configuring ACL That Is Used by the IPSec Profile
ipv4 access-list acl1
10 permit ipv4 100.0.1.0 0.0.0.255 30.0.1.0 0.0.0.255
!
Configuring the Service-ipsec Interface
interface service-ipsec1
vrf customer_1 <------------- IVRF
ipv4 address 40.40.41.41 255.255.255.0
profile prof1 <--------- the ipsec profile
tunnel source 4.0.1.1
tunnel destination 5.0.1.1
service-location preferred-active 0/1/1 preferred-standby 0/2/0 <----------- The IPSec
SPA is located on the 0/1/1 and the standby SPA on 0/2/0
!
Configuring IKE
crypto isakmp
crypto isakmp policy 1
authentication pre-share
encryption 3des
lifetime 86400
!
crypto keyring kr1 vrf default
pre-shared-key address 5.0.1.1 255.255.255.255 key aBrAkAdAbRa
crypto isakmp profile a_prof
keyring kr1
match identity address 5.0.1.1/32 vrf default
set interface service-ipsec1
!
Configuring IPSec
The following example shows that the transform-set is set to esp-256-aes:
crypto ipsec transform-set ts1
transform esp-256-aes
!
The following example shows that the IPSec profile uses acl1 as the traffic proxy and transform-set is
ts1. In addition, RRI is configured.
crypto ipsec profile prof1
set pfs group1
set type static
match acl1 transform-set ts1
reverse-route
To Next Page
Loading...
