212
[RouterB] interface ethernet 1/1
[RouterB-Ethernet1/1] ip address 2.2.2.2 255.255.255.0
# Apply the IPsec policy to interface Ethernet 1/1.
[RouterB-Ethernet1/1] ipsec policy use1
# Configure a static route to subnet 10.1.1.0/24.
[RouterB] ip route-static 10.1.1.0 255.255.255.0 1.1.1.1
4. Verify the configuration:
# Check the IKE proposal configuration.
[RouterA] display ike proposal
priority authentication authentication encryption Diffie-Hellman duration
method algorithm algorithm group (seconds)
---------------------------------------------------------------------------
10 PRE_SHARED MD5 DES_CBC MODP_768 5000
default PRE_SHARED SHA DES_CBC MODP_768 86400
[RouterB] display ike proposal
priority authentication authentication encryption Diffie-Hellman duration
method algorithm algorithm group (seconds)
---------------------------------------------------------------------------
default PRE_SHARED SHA DES_CBC MODP_768 86400
Router A and Router B has only one pair of matching IKE proposals. Matching IKE proposals do
not necessarily use the same ISAKMP SA lifetime setting.
# Send traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24. Router A starts IKE negotiation
with Router B when receiving the first packet.
# Display the SAs established in the two IKE negotiation phases.
[RouterA] display ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
1 2.2.2.2 RD|ST 1 IPSEC
2 2.2.2.2 RD|ST 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT RK-REKEY
# Display information about the established IPsec SAs, which protect traffic between subnet
10.1.1.0/24 and subnet 10.1.2.0/24.
[RouterA] display ipsec sa
===============================
Interface: Ethernet1/1
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "map1"
sequence number: 10
acl version: ACL4
mode: isakmp
-----------------------------
PFS: N, DH group: none
To Next Page
Loading...
