Router User Manual

ManualsBrandsPanasonic ManualsNetwork Router8000

Nortel Secure Router 8000 Series

Troubleshooting - VAS 2 IPSec and IKE troubleshooting

Issue 01.01 (30 March 2009) Nortel Networks Inc. 2-9

Item Sub-item Description

Configuring the

IPSec policy

group

application

Configure the interface

type and ID

The Secure Router 8000 Series implements

IPSec not only on physical interfaces, such

as the serial interface and the Ethernet

interface, but also on virtual interfaces, such

as the tunnel interface and the virtual

template interface. That is, IPSec is also

applicable on the GRE or L2TP tunnel.

Configure the name of

the IPSec policy group

Applying an IPSec group means using all

IPSec policies so that different data flow

can be protected by different IPSec policies.

Note that an interface can be configured

with only one IPSec policy group. If

another policy group is required, remove the

previous group. One policy group can be

applied to several interfaces.

Sent packets search IPSec policies and

select the one with the lowest sequence

number. If the packets match an ACL rule,

the policy using this ACL is applied. If they

do not match an ACL rule, they continue to

search the following policies. Finally, if no

matching ACL rules are configured, packets

are sent directly without security protection.

Router A serves as an example for the configuration notes for setting up SAs manually. Router

B and Router A are mutually mirroring.

The following sections cover part of the commands for configuring IPSec SA. For more information, see

Nortel Secure Router 8000 Series Configuration Guide - Security (NN46240-600).

Configuring an ACL

# Configure an ACL, permitting the data flow from 10.1.1.x to 10.1.2.x.

[RouterA] acl number 3101

[RouterA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0

0.0.0.255

Configuring an IPSec proposal

# Configure the name of the IPSec proposal to tran 1, the encapsulation mode to tunnel mode,

the protocol to ESP, the authentication algorithm to SHA-1, and the encryption algorithm to

DES.

[RouterA-ipsec-proposal-tran1] encapsulation-mode tunnel

[RouterA-ipsec-proposal-tran1] transform esp

[RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha1

[RouterA-ipsec-proposal-tran1] esp encryption-algorithm des