- Foundry Router User Guide
Security Features
June 2004 © 2004 Foundry Networks, Inc. 15 - 19
Example 3: Joining Two Networks with an IPSec Tunnel using Multiple IPSec
Proposals
The following example demonstrates how a security gateway can use multiple IPSec (phase2) proposals to form
an IP security tunnel to join two private networks: 10.0.1.0/24 and 10.0.2.0/24.
IKE Proposal offered by both Router1 and Router2:
• Phase 1: 3DES and SHA1
IPSec Proposals offered by Router1:
• Phase 2: Proposal1: IPSec ESP with DES and HMAC-SHA1
• Phase 2: Proposal2: IPSec ESP with AES (256-bit) and HMAC-SHA1
IPSec Proposal offered by Router2:
• Phase 2: Proposal1: IPSec ESP with AES (256-bit) and HMAC-SHA1
In this example, the Router1 router offers two IPSec proposals to the peer while the Router2 router offers only one
proposal. As a result of quick mode negotiation, the two routers are expected to converge on a mutually
acceptable proposal, which is the proposal “IPSec ESP with AES (256-bit) and HMAC-SHA1” in this example.
Router1# show crypto ipsec sa all detail
Crypto Policy name: INRouter2
Protocol is Any
Local ident(ip/mask/port): (10.0.2.0/255.255.255.0/any)
Remote ident(ip/mask/port): (10.0.1.0/255.255.255.0/any)
Peer Address is 172.16.0.1, PFS Group is disabled
inbound ESP sas
Spi: 0xd603a513
Transform: aes256 (key length=256 bits), sha1
In use settings = {tunnel}
Bytes Processed 256
Hard lifetime in seconds 3560, Hard lifetime in kilobytes
413696
Soft lifetime in seconds 0, Soft lifetime in kilobytes is
unlimited
Crypto Policy name: Router2
Protocol is Any
Local ident(ip/mask/port): (10.0.1.0/255.255.255.0/any)
Remote ident(ip/mask/port): (10.0.2.0/255.255.255.0/any)
Peer Address is 172.16.0.2, PFS Group is disabled
outbound ESP sas
Spi: 0xb013de87
Transform: aes256 (key length=256 bits), sha1