3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide
170 CHAPTER 10: IPSEC CONFIGURATION
[secblade] ike peer same
[secblade-ike-peer-same] pre-shared-key 3com
[secblade-ike-peer-same] remote-address 50.0.0.1
[secblade-ike-peer-same] quit
# Configure the IPsec proposal.
[secblade] ipsec proposal tran
[secblade-ipsec-proposal-tran] encapsulation-mode tunnel
[secblade-ipsec-proposal-tran] transform esp
[secblade-ipsec-proposal-tran] esp encryption-algorithm des
[secblade-ipsec-proposal-tran] esp authentication-algorithm sha1
# Configure the IPsec policy.
[secblade] ipsec policy auto 1 isakmp
[secblade-ipsec-policy-isakmp-auto-1] ike-peer same
[secblade-ipsec-policy-isakmp-auto-1] proposal tran
[secblade-ipsec-policy-isakmp-auto-1] security acl 3000
[secblade-ipsec-policy-isakmp-auto-1] quit
# Apply the IPsec policy to the sub-interface of the external network.
[secblade] interface GigabitEthernet 0/0.2
[secblade-GigabitEthernet0/0.2] ipsec policy auto
[secblade-GigabitEthernet0/0.2] quit
# Configure the static route.
[secblade] ip route-static 0.0.0.0 0 50.0.0.1
[secblade] ip route-static 10.0.0.0 24 30.0.0.1
# Quit IPsec module configuration view.
[secblade] quit
<secblade> quit
[SW8800]
IPsec Troubleshooting Symptom: When apply the IPsec policy on an interface for the first time, the
receive/send end can encrypt and decrypt the data flow; after disabling the IPsec
function, the receive/send end can communicate normally; when apply the IPsec
policy for the second time, packets cannot perform the IPsec process, and the peer
end cannot be pinged successfully.
Troubleshooting: This problem usually appears when the originator configures the
IPsec policy directly in the IPsec policy view, and connected end creates IPsec policy
by importing IPsec policy template. When apply the IPsec policy for the first time,
the communication is normally. However, when you disable the function, a fast
switching entry is established at the connected end. So when you enable the IPsec
policy for the second time, the presence of the fast switching entry causes the fail
of IPsec process to the packets. If you use the reset ip fast-forwarding cache
command to clear the fast switching buffer before enable the IPsec policy for the
second time, the problem will be solved.