Tip

This is the documentation for the 20.02 version. Looking for the documentation of the latest version? Have a look here.

IPsec Example

Required Information

This table contains the Required Information used to form the IPsec tunnel used in this example.

Example IPsec Configuration

Item

Value

Local Address

203.0.113.2

Local IKE Identity

203.0.113.2

Local Network(s)

10.2.0.0/16

Remote Address

203.0.113.25

Remote IKE Identity

203.0.113.25

Remote Network(s)

10.25.0.0/16

IKE Version

2

IKE Lifetime

28800

IKE Encryption

AES-128

IKE Integrity

SHA1

IKE DH/MODP Group

2048 (14)

IKE Authentication

Pre-Shared Key

Pre-Shared Key

mysupersecretkey

SA Lifetime

3600

SA Encryption

AES-128

SA Integrity

SHA1

SA DH/MODP Group

2048 (14)

Local IPsec Address

172.32.0.1/30

Remote IPsec Address

172.32.0.2

Example Configuration

This configuration session implements the tunnel described by the settings in Example IPsec Configuration:

tnsr(config)# ipsec tunnel 0
tnsr(config-ipsec-tun)# local-address 203.0.113.2
tnsr(config-ipsec-tun)# remote-address 203.0.113.25
tnsr(config-ipsec-tun)# crypto config-type ike
tnsr(config-ipsec-tun)# crypto ike
tnsr(config-ipsec-crypto-ike)# version 2
tnsr(config-ipsec-crypto-ike)# lifetime 28800
tnsr(config-ipsec-crypto-ike)# proposal 1
tnsr(config-ike-proposal)# encryption aes128
tnsr(config-ike-proposal)# integrity sha1
tnsr(config-ike-proposal)# group modp2048
tnsr(config-ike-proposal)# exit
tnsr(config-ipsec-crypto-ike)# identity local
tnsr(config-ike-identity)# type address
tnsr(config-ike-identity)# value 203.0.113.2
tnsr(config-ike-identity)# exit
tnsr(config-ipsec-crypto-ike)# identity remote
tnsr(config-ike-identity)# type address
tnsr(config-ike-identity)# value 203.0.113.25
tnsr(config-ike-identity)# exit
tnsr(config-ipsec-crypto-ike)# authentication local
tnsr(config-ike-auth)# round 1
tnsr(config-ike-auth-round)# type psk
tnsr(config-ike-auth-round)# psk mysupersecretkey
tnsr(config-ike-auth-round)# exit
tnsr(config-ike-auth)# exit
tnsr(config-ipsec-crypto-ike)# authentication remote
tnsr(config-ike-auth)# round 1
tnsr(config-ike-auth-round)# type psk
tnsr(config-ike-auth-round)# psk mysupersecretkey
tnsr(config-ike-auth-round)# exit
tnsr(config-ike-auth)# exit
tnsr(config-ipsec-crypto-ike)# child 1
tnsr(config-ike-child)# lifetime 3600
tnsr(config-ike-child)# proposal 1
tnsr(config-ike-child-proposal)# encryption aes128
tnsr(config-ike-child-proposal)# integrity sha1
tnsr(config-ike-child-proposal)# group modp2048
tnsr(config-ike-child-proposal)# exit
tnsr(config-ike-child)# exit
tnsr(config-ipsec-crypto-ike)# exit
tnsr(config-ipsec-tun)# exit
tnsr(config)# interface ipip0
tnsr(config-interface)# ip address 172.32.0.1/30
tnsr(config-interface)# exit
tnsr(config)# route ipv4 table ipv4-VRF:0
tnsr(config-route-table-v4)# route 10.25.0.0/16
tnsr(config-rttbl4-next-hop)# next-hop 0 via 172.32.0.2 ipip0
tnsr(config-rttbl4-next-hop)# exit
tnsr(config-route-table-v4)# exit
tnsr(config)# exit

This example is used as a reference through the remainder of the chapter.

Tip

If the TNSR device hardware supports cryptographic acceleration, enable it for optimal performance. See IPsec Cryptographic Acceleration for details.