ESR series service routers.ESR-Series. User manual
•
•
•
•
•
•
•
1.
9.4.2 Route-based IPsec VPN configuration example
Objective:
Configure IPsec tunnel between R1 and R2.
R1 IP address: 120.11.5.1;
R2 IP address: 180.100.0.1.
IKE:
Diffie-Hellman group: 2;
encryption algorithm: AES 128 bit;
authentication algorithm: MD5.
IP sec:
encryption algorithm: AES 128 bit;
authentication algorithm: MD5.
Solution:
R1 configuration:
Configure external network interface and identify its inherence to a security zone:
esr# configure
esr(config)# interface gi 1/0/1
esr(config-if-gi)# ip address 180.100.0.1/24
esr(config-if-gi)# security-zone untrusted
esr(config-if-gi)# exit
Create VTI tunnel. Traffic will be routed via VTI into IPsec tunnel. Specify IP addresses of WAN border
interfaces as local and remote gateways:
esr(config)# tunnel vti 1
esr(config-vti)# local address 180.100.0.1
esr(config-vti)# remote address 120.11.5.1
esr(config-vti)# enable
esr(config-vti)# exit
To configure security zones rules, create ISAKMP port profile:
esr(config)# object-group service ISAKMP
esr(config-object-group-service)# port-range 500
esr(config-object-group-service)# exit