Setup guide

ManualsBrandsD-Link ManualsComputer equipmentDWL-500 - 11Mb Wireless LAN PCI Network Card

191

192

193

194

195

196

197

198

199

200

[admin@Wandy] > ip ipsec peer add address=10.0.1.2 \

\... secret="gvejimezyfopmekun" enc-algorithm=des

• for CISCO router

! Configure ISAKMP policy (phase1 config, must match configuration

! of "/ip ipsec peer" on RouterOS). Note that DES is default

! encryption algorithm on Cisco. SHA1 is default authentication

! algorithm

crypto isakmp policy 9

encryption des

group 2

hash md5

exit

! Add preshared key to be used when talking to RouterOS

crypto isakmp key gvejimezyfopmekun address 10.0.1.1 255.255.255.255

2. Set encryption proposal (phase2 proposal - settings that will be used to encrypt actual data) to

use DES to encrypt data

• for Wandy router

[admin@Wandy] > ip ipsec proposal set default enc-algorithms=des

• for CISCO router

! Create IPsec transform set - transformations that should be applied to

! traffic - ESP encryption with DES and ESP authentication with SHA1

! This must match "/ip ipsec proposal"

crypto ipsec transform-set myset esp-des esp-sha-hmac

mode tunnel

exit

3. Add policy rule that matches traffic between subnets and requires encryption with ESP in

tunnel mode

• for Wandy router

[admin@Wandy] > ip ipsec policy add \

\... src-address=10.0.0.0/24 dst-address=10.0.2.0/24 action=encrypt \

\... tunnel=yes sa-src=10.0.1.1 sa-dst=10.0.1.2

• for CISCO router

! Create access list that matches traffic that should be encrypted

access-list 101 permit ip 10.0.2.0 0.0.0.255 10.0.0.0 0.0.0.255

! Create crypto map that will use transform set "myset", use peer 10.0.1.1

! to establish SAs and encapsulate traffic and use access-list 101 to

! match traffic that should be encrypted

crypto map mymap 10 ipsec-isakmp

set peer 10.0.1.1

set transform-set myset

set pfs group2

match address 101

exit

! And finally apply crypto map to serial interface:

interface Serial 0

crypto map mymap

exit

4. Testing the IPsec tunnel

• on Wandy router we can see installed SAs

[admin@Wandy] ip ipsec installed-sa> print

Flags: A - AH, E - ESP, P - pfs, M - manual

0 E spi=9437482 direction=out src-address=10.0.1.1

dst-address=10.0.1.2 auth-algorithm=sha1 enc-algorithm=des

replay=4 state=mature

auth-key="9cf2123b8b5add950e3e67b9eac79421d406aa09"

enc-key="ffe7ec65b7a385c3" add-lifetime=24m/30m use-lifetime=0s/0s

lifebytes=0/0 current-addtime=jul/12/2002 16:13:21

current-usetime=jul/12/2002 16:13:21 current-bytes=71896

1 E spi=319317260 direction=in src-address=10.0.1.2