244
• Specify the encapsulation mode as tunnel, the security protocol as ESP, the encryption algorithm as
AES-CBC-192, and the authentication algorithm as HMAC-SHA1.
• Set up SAs through IKE negotiation.
Figure 81 Network diagram
Configuration procedure
1. Configure Switch A:
# Configure an IP address for VLAN-interface 1.
<SwitchA> system-view
[SwitchA] interface vlan-interface 1
[SwitchA-Vlan-interface1] ip address 2.2.2.1 255.255.255.0
[SwitchA-Vlan-interface1] quit
# Define an ACL to identify data flows from Switch A to Switch B.
[SwitchA] acl number 3101
[SwitchA-acl-adv-3101] rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0
[SwitchA-acl-adv-3101] quit
# Create an IPsec transform set named tran1.
[SwitchA] ipsec transform-set tran1
# Specify the encapsulation mode as tunnel.
[SwitchA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[SwitchA-ipsec-transform-set-tran1] protocol esp
# Specify the ESP encryption and authentication algorithms.
[SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192
[SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[SwitchA-ipsec-transform-set-tran1] quit
# Create the IKE keychain named keychain1.
[SwitchA] ike keychain keychain1
# Configure the pre-shared key used with the peer 2.2.3.1 as plaintext string of
12345zxcvb!@#$%ZXCVB.
[SwitchA-ike-keychain-keychain1] pre-shared-key address 2.2.3.1 255.255.255.0 key
simple 12345zxcvb!@#$%ZXCVB
[SwitchA-ike-keychain-keychain1] quit
# Create the IKE profile named profile1.
[SwitchA] ike profile profile1
# Reference the keychain keychain1.
[SwitchA-ike-profile-profile1] keychain keychain1
[SwitchA-ike-profile-profile1] match remote identity address 2.2.3.1 255.255.255.0
[SwitchA-ike-profile-profile1] quit
# Create an IKE-based IPsec policy entry, with the policy name map1 and sequence number 10.
[SwitchA] ipsec policy map1 10 isakmp

To Next Page
Loading...
Need help?
General
