IPsec Example¶
This is a basic site-to-site IPsec tunnel example. For additional examples of other types of IPsec, including remote access, see TNSR Configuration Example Recipes.
Required Information¶
This table contains the Required Information used to form the site-to-site IPsec tunnel for this example.
Item |
Value |
---|---|
Local Address |
203.0.113.2 |
Local IKE Identity |
203.0.113.2 |
Local Network(s) |
10.2.0.0/16 |
Remote Address |
203.0.113.25 |
Remote IKE Identity |
203.0.113.25 |
Remote Network(s) |
10.25.0.0/16 |
IKE Version |
2 |
IKE Lifetime |
28800 |
IKE Encryption |
AES-256 |
IKE Integrity |
SHA256 |
IKE DH/MODP Group |
2048 (14) |
IKE Authentication |
Pre-Shared Key |
Pre-Shared Key |
mysupersecretkey |
SA Lifetime |
3600 |
SA Encryption |
AES-256 |
SA Integrity |
SHA256 |
SA DH/MODP Group |
2048 (14) |
Local IPsec Address |
172.32.0.1/30 |
Remote IPsec Address |
172.32.0.2 |
Example Configuration¶
This configuration session implements the tunnel described by the settings in Example IPsec Configuration:
tnsr(config)# tunnel ipip 0
tnsr(config-ipip)# source ipv4 address 203.0.113.2
tnsr(config-ipip)# destination ipv4 address 203.0.113.25
tnsr(config-ipip)# exit
tnsr(config)# ipsec tunnel 0
tnsr(config-ipsec-tunnel)# enable
tnsr(config-ipsec-tunnel)# crypto config-type ike
tnsr(config-ipsec-tunnel)# crypto ike
tnsr(config-ipsec-crypto-ike)# version 2
tnsr(config-ipsec-crypto-ike)# lifetime 28800
tnsr(config-ipsec-crypto-ike)# proposal 1
tnsr(config-ike-proposal)# encryption aes256
tnsr(config-ike-proposal)# integrity sha256
tnsr(config-ike-proposal)# group modp2048
tnsr(config-ike-proposal)# exit
tnsr(config-ipsec-crypto-ike)# identity local
tnsr(config-ike-identity)# type address
tnsr(config-ike-identity)# value 203.0.113.2
tnsr(config-ike-identity)# exit
tnsr(config-ipsec-crypto-ike)# identity remote
tnsr(config-ike-identity)# type address
tnsr(config-ike-identity)# value 203.0.113.25
tnsr(config-ike-identity)# exit
tnsr(config-ipsec-crypto-ike)# authentication local
tnsr(config-ike-authentication)# round 1
tnsr(config-ike-authentication-round)# psk mysupersecretkey
tnsr(config-ike-authentication-round)# exit
tnsr(config-ike-authentication)# exit
tnsr(config-ipsec-crypto-ike)# authentication remote
tnsr(config-ike-authentication)# round 1
tnsr(config-ike-authentication-round)# psk mysupersecretkey
tnsr(config-ike-authentication-round)# exit
tnsr(config-ike-authentication)# exit
tnsr(config-ipsec-crypto-ike)# child 1
tnsr(config-ike-child)# lifetime 3600
tnsr(config-ike-child)# proposal 1
tnsr(config-ike-child-proposal)# encryption aes256
tnsr(config-ike-child-proposal)# integrity sha256
tnsr(config-ike-child-proposal)# group modp2048
tnsr(config-ike-child-proposal)# exit
tnsr(config-ike-child)# exit
tnsr(config-ipsec-crypto-ike)# exit
tnsr(config-ipsec-tunnel)# exit
tnsr(config)# interface ipip0
tnsr(config-interface)# ip address 172.32.0.1/30
tnsr(config-interface)# mtu 1400
tnsr(config-interface)# enable
tnsr(config-interface)# exit
tnsr(config)# route table default
tnsr(config-route-table)# route 10.25.0.0/16
tnsr(config-rttbl4-next-hop)# next-hop 0 via 172.32.0.2
tnsr(config-rttbl4-next-hop)# exit
tnsr(config-route-table)# exit
tnsr(config)# exit
This example is used as a reference through the remainder of the chapter.
Tip
If the TNSR device hardware supports cryptographic acceleration, enable it for optimal performance. See IPsec Cryptographic Acceleration for details.