Router User Manual
2 IPSec and IKE troubleshooting
Nortel Secure Router 8000 Series
Troubleshooting - VAS
2-28 Nortel Networks Inc. Issue 01.01 (30 March 2009)
Item Sub-item Description
Configure the
sequence number of
the IPSec policy
The sequence number ranges from 1 to
10000. The lower the value, the higher the
priority.
Configure the
negotiation mode
Set up SAs in ISAKMP mode.
Use the IPSec policy
template
Use the previously configured IPSec
policy template. The SA set up by a
referential policy template can be the
responder, but not the negotiation initiator.
Configure the
interface type and ID
Enable the IPSec policy group on the
specified group.
For configuration notes, see the notes for
“
Troubleshooting manual IPSec SA
setup .”
Applying the IPSec
policy group
Configure the name of
the IPSec policy
group
Apply one IPSec policy group on one
interface.
For configuration notes, see the notes for
“
Troubleshooting manual IPSec SA
setup .”
The peer PC C with an uncertain IP address must have IPSec capability and must have related
software installed. If the peer is a router, ISAKMP SA should be configured. For details, see
the configuration notes for “
Troubleshooting ISAKMP SA.”
The following sections cover part of the commands for setting up SA using the IPSec policy template.
For more information, see Nortel Secure Router 8000 Series Configuration Guide - Security
(NN46240-600).
Configuring an IKE proposal
Use the default IKE proposal.
Configuring an IKE peer
# Configure the name of the IKE peer to routerb, the negotiation mode to main mode, and the
shared key to nortel. Note that shared keys on two ends must be consistent.
<RouterA> system-view
[RouterA] ike peer routerb
[RouterA-ike-peer-routerb] exchange-mode main
[RouterA-ike-peer-routerb] pre-shared-key nortel
The peer can be without ACL rules. The data to protect is specified in ACL rules on the
negotiation initiator.