283
[SwitchA-Vlan-interface1] ipsec policy map1
2. Configure Switch B:
# Assign an IP address to VLAN-interface 1.
<SwitchB> system-view
[SwitchB] interface vlan-interface 1
[SwitchB-Vlan-interface1] ip address 2.2.3.1 255.255.255.0
[SwitchB-Vlan-interface1] quit
# Define an ACL to identify data flows from Switch B to Switch A.
[SwitchB] acl number 3101
[SwitchB-acl-adv-3101] rule 0 permit ip source 2.2.3.1 0 destination 2.2.2.1 0
[SwitchB-acl-adv-3101] rule 5 permit ip source 2.2.2.1 0 destination 2.2.3.1 0
[SwitchB-acl-adv-3101] quit
# Create an IPsec proposal named tran1.
[SwitchB] ipsec proposal tran1
# Specify the encapsulation mode as tunnel.
[SwitchB-ipsec-proposal-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[SwitchB-ipsec-proposal-tran1] transform esp
# Specify the algorithms for the proposal.
[SwitchB-ipsec-proposal-tran1] esp encryption-algorithm aes 128
[SwitchB-ipsec-proposal-tran1] esp authentication-algorithm sha1
[SwitchB-ipsec-proposal-tran1] quit
# Configure the IKE peer.
[SwitchB] ike peer peer
[SwitchB-ike-peer-peer] pre-shared-key Ab12<><>
[SwitchB-ike-peer-peer] remote-address 2.2.2.1
[SwitchB-ike-peer-peer] quit
# Create an IPsec policy that uses IKE for IPsec SA negotiation.
[SwitchB] ipsec policy use1 10 isakmp
# Apply the ACL.
[SwitchB-ipsec-policy-isakmp-use1-10] security acl 3101
# Apply the IPsec proposal.
[SwitchB-ipsec-policy-isakmp-use1-10] proposal tran1
# Apply the IKE peer.
[SwitchB-ipsec-policy-isakmp-use1-10] ike-peer peer
[SwitchB-ipsec-policy-isakmp-use1-10] quit
# Apply the IPsec policy group to VLAN-interface 1.
[SwitchB] interface vlan-interface 1
[SwitchB-Vlan-interface1] ipsec policy use1
3. Verifying the configuration
After the previous configuration, send traffic from Switch B to Switch A. Switch A starts IKE negotiation
with Switch B when receiving the first packet. If IKE negotiation is successful and SAs are set up, the traffic
between the two switches will be IPsec protected.
To Next Page
Loading...
Need help?
General
