183
[RouterB-Serial2/2] ip address 2.2.3.1 255.255.255.0
# Apply the IPsec policy group to the interface.
[RouterB-Serial2/2] ipsec policy use1
3. Verify the configuration:
After the configuration, IKE negotiation will be triggered to set up SAs when there is traffic
between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. If IKE negotiation is successful and SAs
are set up, the traffic between the two subnets will be IPsec protected.
Configuring encryption cards for IPsec services
Network requirements
As shown in Figure 59, configure an IPsec tunnel implemented on encryption cards between Router
A and Router B to protect data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Configure
the tunnel to use the security protocol ESP, the encryption algorithm DES, and the authentication
algorithm SHA1-HMAC-96. Use IKE for IPsec SA negotiation.
Figure 59 Network diagram
Configuration procedure
1. Configure Router A:
#Define an ACL to identify data flows from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
<RouterA> system-view
[RouterA] acl number 3101
[RouterA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255
[RouterA-acl-adv-3101] quit
# Configure a static route to Host B.
[RouterA] ip route-static 10.1.2.0 255.255.255.0 serial 2/1
# Create an IPsec transform set named tran1.
[RouterA] ipsec transform-set tran1
# Specify the encapsulation mode as tunnel.
[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[RouterA-ipsec-transform-set-tran1] transform esp
# Specify the algorithms.
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran1] quit
Internet
S2/1
2.2.2.1/24
S2/2
2.2.3.1/24
Eth1/1
10.1.1.1/24
Eth1/1
10.1.2.1/24
Router A Router B
Host A
10.1.1.2/24
Host B
10.1.2.2/24
To Next Page
Loading...
Need help?
General
