580CHAPTER 40: CONFIGURING IPSEC

[RouterB-Serial0] ipsec policy use1

[RouterB-Serial0]ip address 202.38.162.1 255.255.255.0

oConfigure the route.

[RouterB] ip route-static 10.1.1.0 255.255.255.0 202.38.163.1

After the configuration is complete and the security tunnel between Router A and Router B is established, the data stream between Subnet 10.1.1.x and Subnet 10.1.2.x will be transmitted with encryption.

Creating an SA in IKE Establish a security tunnel between Router A and Router B to perform security Negotiation Mode protection for the data streams between PC-A represented subnet (10.1.1.x) and

PC-B represented subnet (10.1.2.x). The security protocol adopts ESP protocol, algorithm adopts DES, and authentication algorithm adopts sha1-hmac-96. See Figure 174 for an illustration of the configuration.

Prior to configuring, you should ensure that Router A and Router B can interwork at the network layer through a serial interface.

1Configure Router A:

aConfigure an access list and define the data stream from Subnet 10.1.1x to Subnet 10.1.2x.

[RouterA] acl 101

[RouterA-acl-101]rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

[RouterA-acl-101]rule deny ip source any destination any

bCreate the IPSec proposal view named trans1

[RouterA] ipsec proposal tran1

cAdopt tunnel mode as the message-encapsulating form

[RouterA-ipsec-proposal-tran1] encapsulation-mode tunnel

dAdopt ESP protocol as security protocol

[RouterA-ipsec-proposal-tran1] transform esp-new

eSelect authentication algorithm and encryption algorithm

[RouterA-ipsec-proposal-tran1]esp-new encryption-algorithm des

[RouterA-ipsec-proposal-tran1]esp-new authentication-algorithm

sha1-hmac-96

fCreate a security policy with negotiation mode as isakmp

[RouterA] ipsec policy policy1 10 isakmp

gSet remote addresses

[RouterA-ipsec-policy-policy1-10] tunnel remote 202.38.162.1

hQuote IPSec proposal

[RouterA-ipsec-policy-policy1-10] proposal tran1

iQuote access list

[RouterA-ipsec-policy-policy1-10] security acl 101

jExit to system view

[RouterA-ipsec-policy-policy1-10] quit

kEnter serial interface view

Page 584
Image 584
3Com 10014299 manual Create the IPSec proposal view named trans1, Create a security policy with negotiation mode as isakmp