Tip
This is the documentation for the 22.02 version. Looking for the documentation of the latest version? Have a look here.
IPsec Example¶
Required Information¶
This table contains the Required Information used to form the IPsec tunnel used in this example.
Item |
Value |
---|---|
Local Address |
203.0.113.2 |
Local IKE Identity |
203.0.113.2 |
Local Network(s) |
10.2.0.0/16 |
Remote Address |
203.0.113.25 |
Remote IKE Identity |
203.0.113.25 |
Remote Network(s) |
10.25.0.0/16 |
IKE Version |
2 |
IKE Lifetime |
28800 |
IKE Encryption |
AES-128 |
IKE Integrity |
SHA1 |
IKE DH/MODP Group |
2048 (14) |
IKE Authentication |
Pre-Shared Key |
Pre-Shared Key |
mysupersecretkey |
SA Lifetime |
3600 |
SA Encryption |
AES-128 |
SA Integrity |
SHA1 |
SA DH/MODP Group |
2048 (14) |
Local IPsec Address |
172.32.0.1/30 |
Remote IPsec Address |
172.32.0.2 |
Example Configuration¶
This configuration session implements the tunnel described by the settings in Example IPsec Configuration:
tnsr(config)# ipsec tunnel 0
tnsr(config-ipsec-tun)# local-address 203.0.113.2
tnsr(config-ipsec-tun)# remote-address 203.0.113.25
tnsr(config-ipsec-tun)# crypto config-type ike
tnsr(config-ipsec-tun)# crypto ike
tnsr(config-ipsec-crypto-ike)# version 2
tnsr(config-ipsec-crypto-ike)# lifetime 28800
tnsr(config-ipsec-crypto-ike)# proposal 1
tnsr(config-ike-proposal)# encryption aes128
tnsr(config-ike-proposal)# integrity sha1
tnsr(config-ike-proposal)# group modp2048
tnsr(config-ike-proposal)# exit
tnsr(config-ipsec-crypto-ike)# identity local
tnsr(config-ike-identity)# type address
tnsr(config-ike-identity)# value 203.0.113.2
tnsr(config-ike-identity)# exit
tnsr(config-ipsec-crypto-ike)# identity remote
tnsr(config-ike-identity)# type address
tnsr(config-ike-identity)# value 203.0.113.25
tnsr(config-ike-identity)# exit
tnsr(config-ipsec-crypto-ike)# authentication local
tnsr(config-ike-auth)# round 1
tnsr(config-ike-auth-round)# type psk
tnsr(config-ike-auth-round)# psk mysupersecretkey
tnsr(config-ike-auth-round)# exit
tnsr(config-ike-auth)# exit
tnsr(config-ipsec-crypto-ike)# authentication remote
tnsr(config-ike-auth)# round 1
tnsr(config-ike-auth-round)# type psk
tnsr(config-ike-auth-round)# psk mysupersecretkey
tnsr(config-ike-auth-round)# exit
tnsr(config-ike-auth)# exit
tnsr(config-ipsec-crypto-ike)# child 1
tnsr(config-ike-child)# lifetime 3600
tnsr(config-ike-child)# proposal 1
tnsr(config-ike-child-proposal)# encryption aes128
tnsr(config-ike-child-proposal)# integrity sha1
tnsr(config-ike-child-proposal)# group modp2048
tnsr(config-ike-child-proposal)# exit
tnsr(config-ike-child)# exit
tnsr(config-ipsec-crypto-ike)# exit
tnsr(config-ipsec-tun)# exit
tnsr(config)# interface ipip0
tnsr(config-interface)# ip address 172.32.0.1/30
tnsr(config-interface)# mtu 1400
tnsr(config-interface)# enable
tnsr(config-interface)# exit
tnsr(config)# route table ipv4-VRF:0
tnsr(config-route-table)# route 10.25.0.0/16
tnsr(config-rttbl4-next-hop)# next-hop 0 via 172.32.0.2
tnsr(config-rttbl4-next-hop)# exit
tnsr(config-route-table)# exit
tnsr(config)# exit
This example is used as a reference through the remainder of the chapter.
Tip
If the TNSR device hardware supports cryptographic acceleration, enable it for optimal performance. See IPsec Cryptographic Acceleration for details.