Manualshelf

Router User Manual

ManualsBrandsPanasonic ManualsNetwork Router8000
81828384858687888990
2 IPSec and IKE troubleshooting
Nortel Secure Router 8000 Series
Troubleshooting - VAS
2-38 Nortel Networks Inc. Issue 01.01 (30 March 2009)
[RouterA-Ethernet1/2/0] ipsec policy map1
Router B
For information about configuring Router B, see the configuration notes for “Troubleshooting
SA setup using an IPSec policy template.”
1. Configure the local ID for IKE.
# Configure the local ID of the host in aggressive IKE negotiation mode.
<RouterB> system-view
[RouterB] ike local-name routerb
2. Configure IKE proposals.
If no proposal is configured, the remote IKE ends use the default IKE proposals.
3. Configure the IKE peer.
# Configure the name of the IKE peer to routera, use aggressive negotiation mode, set
“name” as the local ID authentication type, and preset the shared key to nortel. Enable
NAT on it.
Note the following:
z
The shared keys configured on the connected peer must be consistent.
z
“Name” is used as the ID authentication type. The remote name must be the same as the
local IKE ID configured on the peer through the ike local-name command.
z
You need not configure the remote IP address.
[RouterB] ike peer routera
[RouterB-ike-peer-routera] exchange-mode aggressive
[RouterB-ike-peer-routera] local-id-type name
[RouterB-ike-peer-routera] pre-shared-key nortel
[RouterB-ike-peer-routera] remote-name routera
[RouterB-ike-peer-routera] nat traversal
4. Configure an ACL.
No ACL is configured; that is, the data to protect is unspecified but defined in the ACL
rules of the negotiation initiator.
5. Configure an IPSec proposal.
# Configure the name of IPSec proposal to tran1. The proposal uses the tunnel mode,
SHA-1 authentication algorithm, and DES encryption algorithm.
[RouterB] ipsec proposal tran1
[RouterB-ipsec-proposal-tran1] encapsulation-mode tunnel
[RouterB-ipsec-proposal-tran1] transform esp
[RouterB-ipsec-proposal-tran1] esp authentication-algorithm sha1
[RouterB-ipsec-proposal-tran1] esp encryption-algorithm des
6. Configure an IPSec policy template.
# Configure the name of the IPSec policy template to maptemp and the sequence number
to 10. The ACL is not required. Use the configured IPSec proposal tran1 and configure
the IKE peer to routerb.
[RouterB] ipsec policy-template maptemp 10
[RouterB-ipsec-policy-templet-maptemp-10] proposal tran1