R2511-HP MSR Router Series Security Configuration Guide(V5)

217

Configuring aggressive mode IKE with NAT traversal

Network requirements

As shown in Figure 65, the branch and the headquarters connect to an ATM network through Router B

and Router A. Router B connects to the public network through an ADSL line and acts as the PPPoE client.

The interface connecting to the public network uses a private address dynamically assigned by the ISP.

Router A uses a fixed public IP address for the interface connected to the public network.

Configure IPsec tunnels between Router A and Router B to protect traffic between the branch and its

headquarters. Use IKE to establish the IPsec tunnels.

Figure 65 Network diagram

Configuration guidelines

The IKE negotiation mode must be aggressive because Router B uses a dynamic IP address.

You must configure NAT traversal at both ends of the IPsec tunnel because one end of the tunnel uses a

public IP address but the other end uses a private IP address.

Configuration procedure

1. Configure Router A:

# Specify a name for the local security gateway.

<RouterA> system-view

[RouterA] ike local-name routera

# Configure an ACL.

[RouterA] acl number 3101

[RouterA-acl-adv-3101] rule 0 permit ip source 172.16.0.0 0.0.0.255 destination

192.168.0.0 0.0.0.255

[RouterA-acl-adv-3101] quit

# Configure an IKE proposal.

[RouterA] ike proposal 1

[RouterA-ike-proposal-1] authentication-algorithm sha

[RouterA-ike-proposal-1] authentication-method pre-share

[RouterA-ike-proposal-1] encryption-algorithm 3des-cbc

[RouterA-ike-proposal-1] dh group2

# Configure an IKE peer.

[RouterA] ike peer peer

[RouterA-ike-peer-peer] exchange-mode aggressive

[RouterA-ike-peer-peer] pre-shared-key abc

[RouterA-ike-peer-peer] id-type name

[RouterA-ike-peer-peer] remote-name routerb

[RouterA-ike-peer-peer] nat traversal