74 ESR Series Routers Operation Manual
Create security parameters' profile for IPsec tunnel. For the profile, select AES 128 bit encryption
algorithm, MD5 authentication algorithm. Use the following parameters to secure IPsec tunnel:
esr(config)# security ipsec proposal ipsec_prop1
esr(config-ipsec-proposal)# authentication algorithm md5
esr(config-ipsec-proposal)# encryption algorithm aes128
esr(config-ipsec-proposal)# exit
Create policy for IPsec tunnel. For the policy, specify the list of IPsec tunnel profiles that may be
used for node negotiation:
esr(config)# security ipsec policy ipsec_pol1
esr(config-ipsec-policy)# proposal ipsec_prop1
esr(config-ipsec-policy)# exit
Create IPsec VPN. For VPN, specify IKE protocol gateway, IPsec tunnel policy, key exchange mode
and connection establishment method. When all parameters are entered, enable tunnel using enable
command.
esr(config)# security ipsec vpn ipsec1
esr(config-ipsec-vpn)# mode ike
esr(config-ipsec-vpn)# ike establish-tunnel immediate
esr(config-ipsec-vpn)# ike gateway ike_gw1
esr(config-ipsec-vpn)# ike ipsec-policy ipsec_pol1
esr(config-ipsec-vpn)# enable
esr(config-ipsec-vpn)# exit
esr(config)# exit
To view the tunnel status, use the following command:
esr# show security ipsec vpn status ipsec1
To view the tunnel configuration, use the following command:
esr# show security ipsec vpn configuration ipsec1
7.19.2 Policy-based IPSec VPN configuration
Solution:
1. R1 configuration
Configure external network interface and identify its belonging to the security zone:
esr# configure
esr(config)# interface gigabitethernet 1/0/1
esr(config-if-gi)# ip address 120.11.5.1/24
esr(config-if-gi)# security-zone untrusted
esr(config-if-gi)# exit
Create ISAKMP port profile in order to configure security zone rules:
esr(config)# object-group service ISAKMP
esr(config-object-group-service)# port-range 500
esr(config-object-group-service)# exit
To Next Page
Loading...
