IPsec Example

This is a basic site-to-site IPsec tunnel example. For additional examples of other types of IPsec, including remote access, see TNSR Configuration Example Recipes.

Required Information

This table contains the Required Information used to form the site-to-site IPsec tunnel for this example.

Example IPsec Configuration

Item

Value

Local Address

203.0.113.2

Local IKE Identity

203.0.113.2

Local Network(s)

10.2.0.0/16

Remote Address

203.0.113.25

Remote IKE Identity

203.0.113.25

Remote Network(s)

10.25.0.0/16

IKE Version

2

IKE Lifetime

28800

IKE Encryption

AES-256

IKE Integrity

SHA256

IKE DH/MODP Group

2048 (14)

IKE Authentication

Pre-Shared Key

Pre-Shared Key

mysupersecretkey

SA Lifetime

3600

SA Encryption

AES-256

SA Integrity

SHA256

SA DH/MODP Group

2048 (14)

Local IPsec Address

172.32.0.1/30

Remote IPsec Address

172.32.0.2

Example Configuration

This configuration session implements the tunnel described by the settings in Example IPsec Configuration:

tnsr(config)# tunnel ipip 0
tnsr(config-ipip)# source ipv4 address 203.0.113.2
tnsr(config-ipip)# destination ipv4 address 203.0.113.25
tnsr(config-ipip)# exit
tnsr(config)# ipsec tunnel 0
tnsr(config-ipsec-tunnel)# enable
tnsr(config-ipsec-tunnel)# crypto config-type ike
tnsr(config-ipsec-tunnel)# crypto ike
tnsr(config-ipsec-crypto-ike)# version 2
tnsr(config-ipsec-crypto-ike)# lifetime 28800
tnsr(config-ipsec-crypto-ike)# proposal 1
tnsr(config-ike-proposal)# encryption aes256
tnsr(config-ike-proposal)# integrity sha256
tnsr(config-ike-proposal)# group modp2048
tnsr(config-ike-proposal)# exit
tnsr(config-ipsec-crypto-ike)# identity local
tnsr(config-ike-identity)# type address
tnsr(config-ike-identity)# value 203.0.113.2
tnsr(config-ike-identity)# exit
tnsr(config-ipsec-crypto-ike)# identity remote
tnsr(config-ike-identity)# type address
tnsr(config-ike-identity)# value 203.0.113.25
tnsr(config-ike-identity)# exit
tnsr(config-ipsec-crypto-ike)# authentication local
tnsr(config-ike-authentication)# round 1
tnsr(config-ike-authentication-round)# psk mysupersecretkey
tnsr(config-ike-authentication-round)# exit
tnsr(config-ike-authentication)# exit
tnsr(config-ipsec-crypto-ike)# authentication remote
tnsr(config-ike-authentication)# round 1
tnsr(config-ike-authentication-round)# psk mysupersecretkey
tnsr(config-ike-authentication-round)# exit
tnsr(config-ike-authentication)# exit
tnsr(config-ipsec-crypto-ike)# child 1
tnsr(config-ike-child)# lifetime 3600
tnsr(config-ike-child)# proposal 1
tnsr(config-ike-child-proposal)# encryption aes256
tnsr(config-ike-child-proposal)# integrity sha256
tnsr(config-ike-child-proposal)# group modp2048
tnsr(config-ike-child-proposal)# exit
tnsr(config-ike-child)# exit
tnsr(config-ipsec-crypto-ike)# exit
tnsr(config-ipsec-tunnel)# exit
tnsr(config)# interface ipip0
tnsr(config-interface)# ip address 172.32.0.1/30
tnsr(config-interface)# mtu 1400
tnsr(config-interface)# enable
tnsr(config-interface)# exit
tnsr(config)# route table default
tnsr(config-route-table)# route 10.25.0.0/16
tnsr(config-rttbl4-next-hop)# next-hop 0 via 172.32.0.2
tnsr(config-rttbl4-next-hop)# exit
tnsr(config-route-table)# exit
tnsr(config)# exit

This example is used as a reference through the remainder of the chapter.

Tip

If the TNSR device hardware supports cryptographic acceleration, enable it for optimal performance. See IPsec Cryptographic Acceleration for details.