Tip
This is the documentation for the 19.02 version. Looking for the documentation of the latest version? Have a look here.
- orphan:
Required Information¶
Before attempting to configure an IPsec tunnel, several pieces of information are required in order for both sides to build a tunnel. Typically the administrators of both tunnel endpoints will negotiate and agree upon the values to use for an IPsec tunnel.
At a minimum, these pieces of information should be known to both endpoints before attempting to configure a tunnel:
- Local Address:
The IP address on TNSR which will be used to send and accept IPsec traffic from the peer.
- Local IKE Identity:
The IKE identifier for TNSR, typically an IP address and the same as Local Address.
- Local Network(s):
A list of local networks which will communicate through the IPsec tunnel to hosts on Remote Network(s). This is not entered into the configuration on TNSR for routed IPsec, but will be needed by the peer.
- Remote Address:
The IP address of the IPsec peer.
- Remote IKE Identity:
The identifier for the IPsec peer, typically the same as Remote Address.
- Remote Network(s):
A list of networks at the peer location with which hosts in the Local Network(s) will communicate. If using static routing, routes must be manually added for these networks using the Remote IPsec Address and
ipsec0
interface. If BGP is used with IPsec, this will be handled automatically.- IKE Version:
Either
1
for IKEv1 or2
for IKEv2. IKEv2 is stronger and more capable, but not all IPsec equipment can properly handle IKEv2.- IKE Lifetime:
The maximum amount of time that an IKE session can stay alive until it is renegotiated.
- IKE Encryption:
The encryption algorithm used to encrypt IKE messages.
- IKE Integrity:
The integrity algorithm used to authenticate IKE messages
- IKE DH/MODP Group:
Diffie-Hellman group for key establishment, given in bits.
- IKE Authentication:
The type of authentication to use to verify the peer’s identity.
- Pre-Shared Key:
When using Pre-Shared Key for IKE Authentication, this key is used on both sides to authenticate the peer.
- SA Lifetime:
The amount of time that a child security association can be active before it is rekeyed.
- SA Encryption:
The encryption algorithm used to encrypt tunneled traffic.
- SA Integrity:
The integrity algorithm used to authenticate tunneled traffic.
- SA DH/MODP Group:
Diffie-Hellman group for security associations, in bits.
- Local IPsec Address:
The local IP address for the
ipsec0
interface, used for routing traffic to/from IPsec peers.- Remote IPsec Address:
The remote IP address for the peer on
ipsec0
, used as a gateway for routing, or a BGP neighbor.
Item |
Value |
---|---|
Local Address |
203.0.113.2 |
Local IKE Identity |
203.0.113.2 |
Local Network(s) |
10.2.0.0/16 |
Remote Address |
203.0.113.25 |
Remote IKE Identity |
203.0.113.25 |
Remote Network(s) |
10.25.0.0/16 |
IKE Version |
1 |
IKE Lifetime |
28800 |
IKE Encryption |
AES-128 |
IKE Integrity |
SHA1 |
IKE DH/MODP Group |
2048 (14) |
IKE Authentication |
Pre-Shared Key |
Pre-Shared Key |
mysupersecretkey |
SA Lifetime |
3600 |
SA Encryption |
AES-128 |
SA Integrity |
SHA1 |
SA DH/MODP Group |
2048 (14) |
Local IPsec Address |
172.32.0.1/30 |
Remote IPsec Address |
172.32.0.2 |
Warning
If NAT is active on the same interface acting as an IPsec endpoint, then NAT forwarding must also be enabled. See NAT Forwarding.