Foundry Networks AR1208, AR3202-CL, AR3201-CL, AR1204, AR1216 manual Security Features

Security Features

Router1# show crypto ipsec sa all detail

Crypto Policy name: INRouter2

Protocol is Any

Local ident(ip/mask/port): (10.0.2.0/255.255.255.0/any)

Remote ident(ip/mask/port): (10.0.1.0/255.255.255.0/any)

Peer Address is 172.16.0.1, PFS Group is disabled

inbound ESP sas

Spi: 0xd603a513

Transform: aes256 (key length=256 bits), sha1 In use settings = {tunnel}

Bytes Processed 256

Hard lifetime in seconds 3560, Hard lifetime in kilobytes

413696

Soft lifetime in seconds 0, Soft lifetime in kilobytes is unlimited

Crypto Policy name: Router2

Protocol is Any

Local ident(ip/mask/port): (10.0.1.0/255.255.255.0/any)

Remote ident(ip/mask/port): (10.0.2.0/255.255.255.0/any)

Peer Address is 172.16.0.2, PFS Group is disabled

outbound ESP sas

Spi: 0xb013de87

Transform: aes256 (key length=256 bits), sha1

Example 3: Joining Two Networks with an IPSec Tunnel using Multiple IPSec Proposals

The following example demonstrates how a security gateway can use multiple IPSec (phase2) proposals to form an IP security tunnel to join two private networks: 10.0.1.0/24 and 10.0.2.0/24.

IKE Proposal offered by both Router1 and Router2:

•Phase 1: 3DES and SHA1 IPSec Proposals offered by Router1:

•Phase 2: Proposal1: IPSec ESP with DES and HMAC-SHA1

•Phase 2: Proposal2: IPSec ESP with AES (256-bit) and HMAC-SHA1 IPSec Proposal offered by Router2:

•Phase 2: Proposal1: IPSec ESP with AES (256-bit) and HMAC-SHA1

In this example, the Router1 router offers two IPSec proposals to the peer while the Router2 router offers only one proposal. As a result of quick mode negotiation, the two routers are expected to converge on a mutually acceptable proposal, which is the proposal “IPSec ESP with AES (256-bit) and HMAC-SHA1” in this example.