R0106-HP MSR Router Series Security Configuration Guide(V7)
310
Max received sequence-number:
UDP encapsulation used for NAT traversal: N
Status: active
# Display the information about the CA certificate, local certificate, IKE SA, and IPsec SA on Device B.
[DeviceB] display ike sa
[DeviceB] display pki certificate domain domain2 ca
[DeviceB] display pki certificate domain domain2 local
[DeviceB] display ipsec sa
Aggressive mode with NAT traversal configuration example
This configuration example is not available when the device is operating in FIPS mode.
Network requirements
Device A is behind the NAT device. Configure an IPsec tunnel that uses IKE negotiation between Device
A and Deice B to secure the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
Configure Device A and Device B to use the default IKE proposal for the aggressive IKE negotiation to set
up the IPsec SAs. Configure the two devices to use the pre-shared key authentication method for the IKE
negotiation phase 1.
Figure 89 Network diagram
Configuration procedure
1. Configure Device A:
# Assign an IP address to each interface. (Details not shown.)
# Configure ACL 3000 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
<DeviceA> system-view
[DeviceA] acl number 3000
[DeviceA-acl-adv-3000] rule 0 permit ip source 10.1.1.0 0.0.0.255 destination
10.1.2.0 0.0.0.255
[DeviceA-acl-adv-3000] quit
# Create an IPsec transform set named transform1.
[DeviceA] ipsec transform-set transform1
# Use the ESP protocol for the IPsec transform set.
[DeviceA-ipsec-transform-set-transform1] protocol esp
# Specify the encryption and authentication algorithms.
[DeviceA-ipsec-transform-set-transform1] esp encryption-algorithm 3des-cbc
Host A
10.1.1.2/24
Device A
Host B
10.1.2.2/24
Device B
GE2/1/1
1.1.1.1/16
GE2/1/1
2.2.2.2/16
GE2/1/2
10.1.1.1/24
GE2/1/2
10.1.2.1/24
Internet
NAT