This is the documentation for the 19.02 version. Looking for the documentation of the latest version? Have a look here.
After establishing a secure channel, the two endpoints can negotiate an IPsec
security association (IPsec SA) as a
child entry. Multiple children
can be configured as needed, though with routed IPsec only one is necessary.
tnsr(config-ipsec-crypto-ike)# child 1 tnsr(config-ike-child)# lifetime 3600
This example only has a single child, thus
child 1. The
enters IKE Child mode (
lifetime <x> command determines how long, in seconds, this child IPsec
SA can live before it must be rekeyed. Most commonly this is set for an hour, or
tnsr(config-ike-child)# proposal 1 tnsr(config-ike-child-proposal)# encryption aes128 tnsr(config-ike-child-proposal)# integrity sha1 tnsr(config-ike-child-proposal)# group modp2048 tnsr(config-ike-child-proposal)# exit tnsr(config-ike-child)# exit tnsr(config-ipsec-crypto-ike)# exit tnsr(config-ipsec-tun)# exit
Each child may have one or more
proposal entries which define acceptable
encryption, integrity, and DH Group (Perfect Forward Security, PFS) parameters
to encrypt and validate the IPsec SA traffic. These work the same here as they
do for IKE/ISAKMP as described in IKE Proposal.
Some vendor IPsec implementations refer to IPsec security association child entries as “Phase 2”, which may help when attempting to map values supplied by a peer to their corresponding values in TNSR.
This completes the configuration for the IPsec tunnel, at this point after exiting back to basic mode the tunnel will attempt to establish a connection to the peer.