Manualshelf

Router User Manual

ManualsBrandsPanasonic ManualsNetwork Router8000
919293949596979899100
Nortel Secure Router 8000 Series
Troubleshooting - VAS 2 IPSec and IKE troubleshooting
Issue 01.01 (30 March 2009) Nortel Networks Inc. 2-45
[RouterA-Tunnel1/0/1] destination 202.38.162.1
Configuring IKE proposals
If no IKE proposal is configured, the remote end uses default IKE proposals.
Configuring the IKE peer
# Configure the name of the IKE peer to routerb and use aggressive negotiation mode. Preset
the shared key to nortel. Note that the shared keys configured on two ends must be consistent.
Configure an IP address 202.38.162.1 for the remote end.
[RouterA] ike peer routerb
[RouterA-ike-peer-routerb] exchange-mode agressive
[RouterA-ike-peer-routerb] pre-shared-key nortel
[RouterA-ike-peer-routerb] remote-address 202.38.162.1
Configuring an ACL
# Configure an ACL, defining the protected GRE packets.
[RouterA] acl number 3101
[RouterA-acl-adv-3101] rule permit gre source 202.38.163.1 0 destination 202.38.162.1
0
Configuring an IPSec proposal
# Configure the name of the IPSec proposal to tran1 and use transport mode to save
bandwidth. The policy uses the ESP security protocol, the SHA-1 authentication algorithm,
and the DES encryption algorithm.
[RouterA] ipsec proposal tran1
[RouterA-ipsec-proposal-tran1] encapsulation-mode transport
[RouterA-ipsec-proposal-tran1] transform esp
[RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-proposal-tran1] esp encryption-algorithm des
Configuring an IPSec policy
# Configure the name of IPSec policy to map1, the sequence number to 10, and the
negotiation mode to ISAKMP. Apply the configured ACL and IPSec proposal tran1 to the
policy. Configure the IKE peer to routerb.
[RouterA] ipsec policy map1 10 isakmp
[RouterA-ipsec-policy-isakmp-map1-10] security acl 3101
[RouterA-ipsec-policy-isakmp-map1-10] proposal tran1
[RouterA-ipsec-policy-isakmp-map1-10] ike-peer routerb
Applying the IPSec policy group
# Apply the IPSec policy group map1 on the specified interface.
Note that the interface should be the physical interface on the tunnel with the source address
202.38.163.1. It should not be the GRE virtual interface tunnel 1/0/1.
[RouterA] interface Pos 1/0/1
[RouterA-Pos1/0/1] ipsec policy map1