Router User Manual
2 IPSec and IKE troubleshooting
Nortel Secure Router 8000 Series
Troubleshooting - VAS
2-18 Nortel Networks Inc. Issue 01.01 (30 March 2009)
Item Sub-item Description
Configure PFS PFS is enabled in IPSec negotiation.
By default, PFS is disabled.
Perform a PFS exchange in the IPSec
negotiation. If you are specifying PFS on
the local end, you need to enable PFS
exchange when the peer initiates the
negotiation; that is, in Phase 2, add an
additional shared key exchange to ensure
high security. The Diffie-Hellman group
specified on the two ends must be the same
or the negotiation fails.
Configure the interface
type and ID
Indicates the interface on which the IPSec
policy is applied..
For configuration notes, see the notes for
“
Troubleshooting manual IPSec SA setup .”
Configuring the
IPSec policy
group
application
Configure the name of
IPSec policy group
Apply only one IPSec policy group on one
interface.
For configuration notes, see the notes for
“
Troubleshooting manual IPSec SA setup .”
Router A serves as an example of the configuration notes for setting up ISAKMP SAs. The
configurations on Router B are the same as the configurations on Router A.
The following sections cover part of the commands for configuring ISAKMP SA. For more information,
see Nortel Secure Router 8000 Series Configuration Guide - Security (NN46240-600).
Configuring the local ID for IKE
# Configure the host local ID in aggressive IKE negotiation mode.
<RouterA> system-view
[RouterA] ike local-name routera
Configuring an IKE proposal
Use the default IKE proposal between the IKE peers.
Configuring the IKE peer
# Configure the name of the IKE peer to routerb, use aggressive negotiation mode, use
“name” as the ID authentication type, preset the shared key to nortel, and set the remote IP
address to 202.38.162.1. Note that shared keys configured on the peers must be consistent.
[RouterA] ike peer routerb
[RouterA-ike-peer-routerb] exchange-mode aggressive
[RouterA-ike-peer-routerb] local-id-type name
[RouterA-ike-peer-routerb] pre-shared-key nortel
[RouterA-ike-peer-routerb] remote-name routerb