Manualshelf

Router User Manual

ManualsBrandsPanasonic ManualsNetwork Router8000
81828384858687888990
Nortel Secure Router 8000 Series
Troubleshooting - VAS 2 IPSec and IKE troubleshooting
Issue 01.01 (30 March 2009) Nortel Networks Inc. 2-37
# Configure the host local ID in aggressive IKE negotiation mode.
<RouterA > system-view
[RouterA] ike local-name routera
2. Configure IKE proposals.
By default, use the default IKE proposals.
3. Configure the IKE peer.
# Configure the name of the IKE peer to routerb. Configure aggressive negotiation mode
and set “name” as the local ID authentication type. Preset the shared key to nortel.
Configure an IP address 202.38.162.1 for the peer and enable NAT on it.
Note the following:
z
The shared keys configured on the connected peer must be consistent.
z
“Name” is used as the ID authentication type. The remote name must be the same as the
local IKE ID configured on the peer through the ike local-name command.
[RouterA] ike peer routerb
[RouterA-ike-peer-routerb] exchange-mode aggressive
[RouterA-ike-peer-routerb] local-id-type name
[RouterA-ike-peer-routerb] pre-shared-key nortel
[RouterA-ike-peer-routerb] remote-name routerb
[RouterA-ike-peer-routerb] remote-address 202.38.162.1.
[RouterA-ike-peer-routerb] nat traversal
4. Configure an ACL.
# Configure an ACL, specifying the data flow from 10.1.1.x to 10.1.2.x..
[RouterA] acl number 3101
[RouterA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255
5. Configure an IPSec proposal.
# Configure the name of IPSec proposal to tran1. The proposal uses the tunnel mode,
SHA-1 authentication algorithm, and DES encryption algorithm.
[RouterA] ipsec proposal tran1
[RouterA-ipsec-proposal-tran1] encapsulation-mode tunnel
[RouterA-ipsec-proposal-tran1] transform esp
[RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-proposal-tran1] esp encryption-algorithm des
6. Configure an IPSec policy.
# Configure the name of IPSec policy to map1, the sequence number to 10, and the
negotiation mode to ISAKMP. Apply the configured IPSec proposal tran1 to the policy,
and configure the IKE peer to routerb.
[RouterA] ipsec policy map1 10 isakmp
[RouterA-ipsec-policy-isakmp-map1-10] security acl 3101
[RouterA-ipsec-policy-isakmp-map1-10] proposal tran1
[RouterA-ipsec-policy-isakmp-map1-10] ike-peer routerb
7. Apply the IPSec policy.
# Apply the IPSec policy map1 on the serial interface.
[RouterA] interface Ethernet 1/2/0