Example 3: Multiple IPSec Pro-
Step 11: After transit traffic is passed through the tunnel, display the IKE and IPSec SA tables.
Use the show crypto ike sa all and show crypto ipsec sa all commands.
4.4Example 3: Multiple IPSec Proposals: Tunnel Mode Between Two Black Box Security Gateways
The following example demonstrates how a security gateway can use multiple ipsec (phase2) proposals to form an IP security tunnel to join two private networks: 10.0.1.0/24 and 10.0.2.0/24.
IKE Proposal offered by both Black Box1 and Black Box2:
Phase 1: 3DES and SHA1
IPSec Proposals offered by Black Box1:
Phase 2: Proposal1: IPSec ESP with DES and
Phase 2: Proposal2: IPSec ESP with AES
Phase 2: Proposal1: IPSec ESP with AES
In this example, the Black Box1 router offers two IPSec proposals to the peer while the Black Box2 router offers only one proposal. As a result of quick mode negotiation, the two routers are expected to converge on a mutually acceptable proposal, which is the proposal “IPSec ESP with AES
Figure 10 Tunnel Mode Between Two Black Box Security Gateways - Multiple Proposals
| 172.16.0.1 | 172.16.0.2 | TRUSTED |
|
|
| |
TRUSTED |
|
|
|
| IPSec ESP |
|
|
| UNTRUSTED | BlackBox 2 | Network |
Network | BlackBox 1 | 10.0.2.0/24 | |
10.0.1.0/24 |
|
|
|
Step 1: Configure a WAN bundle of network type untrusted
Black Box1/configure/interface/bundle wan1> | link t1 1 | ||
Black Box1/configure/interface/bundle wan1> | encapsulation ppp | ||
Black Box1/configure/interface/bundle wan1> | ip address 172.16.0.1 24 | ||
Black | Box1/configure/interface/bundle | wan1> | crypto untrusted |
Black | Box1/configure/interface/bundle | wan1> | exit |
Step 2: Configure the Ethernet interface with trusted network type
Black Box1/configure> interface ethernet 0
message: Configuring existing Ethernet interface
Black Box1/configure interface/ethernet 0> ip address 10.0.1.1 24
Black Box1/configure/interface/ethernet 0> crypto trusted
Black Box1/configure/interface/ethernet 0> exit
Step 3: Display the crypto interfaces
33
