MSR Routers

Establish Aggressive Mode IPsec VPN Between HQ and Multiple Branches

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Introduction· 1

Prerequisites· 1

Example: Establishing aggressive mode IPsec VPN between HQ and multiple branches  1

Network configuration· 1

Software versions used· 2

Restrictions and guidelines· 2

Procedures· 2

Configuring Device A· 2

Configuring Device B· 4

Configuring Device C· 6

Verifying the configuration· 9

Configuration files· 11

 

Introduction

The following information provides an example for setting up an IPsec VPN between the headquarters (HQ) and branches by using aggressive mode IKE negotiation.

Prerequisites

The following information applies to Comware 7-based MSR router series. Procedures and information in the examples might be slightly different depending on the software or hardware version of the routers.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of IPsec.

Example: Establishing aggressive mode IPsec VPN between HQ and multiple branches

Network configuration

As shown in Figure 1, Device A is the gateway of Branch 1, Device B is the gateway of Branch 2, and Device C is the gateway of the headquarters (HQ). Device A and Device B connect to the Internet using PPPoE dial-up, while Device C connects to the Internet with a fixed IP address of 1.1.1.1/24. The HQ and branches communicate with each other over the public network.

To ensure security, establish an IPsec VPN tunnel between each branch and the HQ. The branches access each other through the tunnels, implementing secure data communication.

Figure 1 Network diagram

 

 

Software versions used

The configuration example was created and verified on R6749P15 of the MSR3610-X1 router.

Restrictions and guidelines

Ensure that Device A, Device B, and Device C are connected to the Internet and GigabitEthernet 1/0/2 interfaces of Device A, Device B, and Device C have IPv4 connectivity to each other.

Procedures

Configuring Device A

1.     Configure IP addresses for interfaces.

# Configure an IP address for interface GigabitEthernet1/0/1.

<DeviceA> system-view

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] ip address 192.168.1.1 255.255.255.0

[DeviceA-GigabitEthernet1/0/1] quit

2.     Configure an ACL:

# Create ACL 3000.

[DeviceA] acl number 3000

# Define rule 0: Permit the data flow from subnet 192.168.1.0/24 of Branch 1 to subnet 192.168.2.0/24 of the HQ.

[DeviceA-acl-adv-3000] rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

# Define rule 1: Permit the data flow from subnet 192.168.1.0/24 of Branch 1 to subnet 192.168.3.0/24 of Branch 2.

[DeviceA-acl-adv-3000] rule 1 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

[DeviceA-acl-adv-3000] quit

3.     Configure an IKE:

# Create IKE proposal 1.

[DeviceA] ike proposal 1

# Specify the authentication algorithm as HMAC-MD5.

[DeviceA-ike-proposal-1] authentication-algorithm md5

# Specify the encryption algorithm as 3DES-CBC.

[DeviceA-ike-proposal-1] encryption-algorithm 3des-cbc

[DeviceA-ike-proposal-1] quit

4.     Configure the local identity:

# Configure the local ID as FQDN name RTA.

[DeviceA] ike identity fqdn RTA

5.     Configure an IKE keychain:

# Create an IKE keychain named RTA. Specify plaintext 123456TESTplat&! as the pre-shared key for IKE negotiation with peer 1.1.1.1.

[DeviceA] ike keychain RTA

[DeviceA-ike-keychain-RTA] pre-shared-key address 1.1.1.1 key simple 123456TESTplat&!

[DeviceA-ike-keychain-RTA] quit

6.     Configure an IKE profile:

# Create an IKE profile named RTA.

[DeviceA] ike profile RTA

# Specify IKE keychain RTA for the IKE profile.

[DeviceA-ike-profile-RTA] keychain RTA

# Specify the IKE negotiation mode in phase 1 as the aggressive mode.

[DeviceA-ike-profile-RTA] exchange-mode aggressive

# Configure the local ID as FQDN name RTA.

[DeviceA-ike-profile-RTA] local-identity fqdn RTA

# Configure the peer ID as FQDN name zongbu.

[DeviceA-ike-profile-RTA] match remote identity fqdn zongbu

# Specify IKE proposal 1 for the IKE profile.

[DeviceA-ike-profile-RTA] proposal 1

[DeviceA-ike-profile-RTA] quit

7.     Configure an IPsec transform set:

# Create IPsec transform set 1.

[DeviceA] ipsec transform-set 1

# Set the packet encapsulation mode to tunnel.

[DeviceA-ipsec-transform-set-1] encapsulation-mode tunnel

# Use the ESP protocol for the IPsec transform set.

[DeviceA-ipsec-transform-set-1] protocol esp

# Specify the encryption and authentication algorithms used by ESP.

[DeviceA-ipsec-transform-set-1] esp encryption-algorithm 3des-cbc

[DeviceA-ipsec-transform-set-1] esp authentication-algorithm md5

[DeviceA-ipsec-transform-set-1] quit

8.     Configure an IPsec policy:

# Create an IKE-based IPsec policy entry. Specify the policy name as RTA and set the sequence number to 1.

[DeviceA] ipsec policy RTA 1 isakmp

[DeviceA-ipsec-policy-isakmp-RTA-1] security acl 3000

[DeviceA-ipsec-policy-isakmp-RTA-1] remote-address 1.1.1.1

[DeviceA-ipsec-policy-isakmp-RTA-1] ike-profile RTA

[DeviceA-ipsec-policy-isakmp-RTA-1] transform-set 1

[DeviceA-ipsec-policy-isakmp-RTA-1] quit

9.     Apply the IPsec policy to an interface:

# Apply IPsec policy RTA to interface Dialer10. (Dialer10 here is only an example. Choose a proper interface in your network to apply the IPsec policy.)

[DeviceA] interface Dialer 10

[DeviceA-Dialer10] ipsec apply policy RTA

[DeviceA-Dialer10] quit

Configuring Device B

1.     Configure IP addresses for interfaces.

# Configure an IP address for interface GigabitEthernet1/0/1.

<DeviceB> system-view

[DeviceB] interface gigabitethernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] ip address 192.168.3.1 255.255.255.0

[DeviceB-GigabitEthernet1/0/1] quit

2.     Configure an ACL:

Create ACL 3000.

[DeviceB] acl number 3000

# Define rule 0: Permit the data flow from subnet 192.168.3.0/24 of Branch 2 to subnet 192.168.2.0/24 of the HQ.

[DeviceB-acl-adv-3000] rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

# Define rule 1: Permit the data flow from subnet 192.168.3.0/24 of Branch 2 to subnet 192.168.1.0/24 of Branch 1.

[DeviceB-acl-adv-3000] rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

[DeviceB-acl-adv-3000] quit

3.     Configure an IKE:

# Create IKE proposal 1.

[DeviceB] ike proposal 1

# Specify the authentication algorithm as HMAC-MD5.

[DeviceB-ike-proposal-1] authentication-algorithm md5

# Specify the encryption algorithm as 3DES-CBC.

[DeviceB-ike-proposal-1] encryption-algorithm 3des-cbc

[DeviceB-ike-proposal-1] quit

4.     Configure the local identity:

# Configure the local ID as FQDN name RTB.

[DeviceB] ike identity fqdn RTB

5.     Configure an IKE keychain:

# Create an IKE keychain named RTB. Specify plaintext 123456TESTplat&! as the preshared key for IKE negotiation with peer 1.1.1.1.

[DeviceB] ike keychain RTB

[DeviceB-ike-keychain-RTB] pre-shared-key address 1.1.1.1 key simple 123456TESTplat&!

[DeviceB-ike-keychain-RTB] quit

6.     Configure an IKE profile:

# Create an IKE profile named RTB.

[DeviceB] ike profile RTB

# Specify IKE keychain RTB for the IKE profile.

[DeviceB-ike-profile-RTB] keychain RTB

# Specify the IKE negotiation mode in phase 1 as the aggressive mode.

[DeviceB-ike-profile-RTB] exchange-mode aggressive

# Specify the FQDN name RTB as the local ID.

[DeviceB-ike-profile-RTB] local-identity fqdn RTB

# Specify the FQDN name zongbu as the peer ID.

[DeviceB-ike-profile-RTB] match remote identity fqdn zongbu

# Specify IKE proposal 1 for the IKE profile.

[DeviceB-ike-profile-RTB] proposal 1

[DeviceB-ike-profile-RTB] quit

7.     Configure an IPsec transform set:

# Create IPsec transform set 1.

[DeviceB] ipsec transform-set 1

# Set the packet encapsulation mode to tunnel.

[DeviceB-ipsec-transform-set-1] encapsulation-mode tunnel

# Use the ESP protocol for the IPsec transform set.

[DeviceB-ipsec-transform-set-1] protocol esp

# Specify the encryption and authentication algorithms used by ESP.

[DeviceB-ipsec-transform-set-1] esp encryption-algorithm 3des-cbc

[DeviceB-ipsec-transform-set-1] esp authentication-algorithm md5

[DeviceB-ipsec-transform-set-1] quit

8.     Configure an IPsec policy:

# Create an IKE-based IPsec policy entry. Specify the policy name as RTB and set the sequence number to 1.

[DeviceB] ipsec policy RTB 1 isakmp

[DeviceB-ipsec-policy-isakmp-RTB-1] security acl 3000

[DeviceB-ipsec-policy-isakmp-RTB-1] remote-address 1.1.1.1

[DeviceB-ipsec-policy-isakmp-RTB-1] ike-profile RTB

[DeviceB-ipsec-policy-isakmp-RTB-1] transform-set 1

[DeviceB-ipsec-policy-isakmp-RTB-1] quit

9.     Apply the IPsec policy to an interface:

# Apply IPsec policy RTB to interface Dialer10. (Dialer10 here is only an example. Choose a proper interface in your network to apply the IPsec policy.)

[DeviceB] interface Dialer 10

[DeviceB-Dialer10] ipsec apply policy RTB

[DeviceB-Dialer10] quit

Configuring Device C

1.     Configure IP addresses for interfaces.

# Configure an IP address for interface GigabitEthernet 1/0/1.

<DeviceC> system-view

[DeviceC] interface gigabitethernet 1/0/1

[DeviceC-GigabitEthernet1/0/1] ip address 192.168.2.1 255.255.255.0

[DeviceC-GigabitEthernet1/0/1] quit

# Configure an IP address for interface GigabitEthernet 1/0/2.

[DeviceC] interface gigabitethernet 1/0/2

[DeviceC-GigabitEthernet1/0/2] ip address 1.1.1.1 255.255.255.0

[DeviceC-GigabitEthernet1/0/2] quit

2.     Configure ACL 3000:

Create ACL 3000.

[DeviceC] acl number 3000

# Define rule 0: Permit the data flow from subnet 192.168.2.0/24 of HQ to subnet 192.168.1.0/24 of Branch 1.

[DeviceC-acl-adv-3000] rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

# Define rule 1: Permit the data flow from subnet 192.168.3.0/24 of Branch 2 to subnet 192.168.1.0/24 of Branch 1.

[DeviceC-acl-adv-3000] rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

[DeviceC-acl-adv-3000] quit

3.     Configure ACL 3001:

# Create ACL 3001.

[DeviceC] acl number 3001

# Define rule 0: Permit the data flow from subnet 192.168.2.0/24 of HQ to subnet 192.168.3.0/24 of Branch 2.

[DeviceC-acl-adv-3000] rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

# Define rule 1: Permit the data flow from subnet 192.168.1.0/24 of Branch 1 to subnet 192.168.3.0/24 of Branch 2.

[DeviceC-acl-adv-3000] rule 1 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

[DeviceC-acl-adv-3000] quit

4.     Configure an IKE:

# Create IKE proposal 1.

[DeviceC] ike proposal 1

# Specify the authentication algorithm as HMAC-MD5.

[DeviceC-ike-proposal-1] authentication-algorithm md5

# Specify the encryption algorithm as 3DES-CBC.

[DeviceC-ike-proposal-1] encryption-algorithm 3des-cbc

[DeviceC-ike-proposal-1] quit

5.     Configure the local identity:

# Configure the local ID as FQDN name zongbu.

[DeviceC] ike identity fqdn zongbu

6.     Configure an IKE keychain:

# Create an IKE keychain named RTA. Specify plaintext 123456TESTplat&! as the pre-shared key for IKE negotiation with the peer identified by FQDN RTA.

[DeviceC] ike keychain RTA

[DeviceC-ike-keychain-RTA] pre-shared-key hostname RTA key simple 123456TESTplat&!

[DeviceC-ike-keychain-RTA] quit

# Create an IKE keychain named RTB. Specify plaintext 123456TESTplat&! as the pre-shared key for IKE negotiation with the peer identified by FQDN RTB.

[DeviceC] ike keychain RTB

[DeviceC-ike-keychain-RTB] pre-shared-key hostname RTB key simple 123456TESTplat&!

[DeviceC-ike-keychain-RTB] quit

7.     Configure IKE profile RTA:

# Create an IKE profile named RTA.

[DeviceC] ike profile RTA

# Specify IKE keychain RTA for the IKE profile.

[DeviceC-ike-profile-RTA] keychain RTA

# Specify the IKE negotiation mode in phase 1 as the aggressive mode.

[DeviceC-ike-profile-RTA] exchange-mode aggressive

# Configure the FQDN name zongbu as the local ID.

[DeviceC-ike-profile-RTA] local-identity fqdn zongbu

# Configure the peer ID as FQDN RTA.

[DeviceC-ike-profile-RTA] match remote identity fqdn RTA

# Specify IKE proposal 1 for the IKE profile.

[DeviceC-ike-profile-RTA] proposal 1

[DeviceC-ike-profile-RTA] quit

8.     Configure IKE profile RTB:

# Create an IKE profile named RTB.

[DeviceC] ike profile RTB

# Specify IKE keychain RTB for the IKE profile.

[DeviceC-ike-profile-RTB] keychain RTB

# Specify the IKE negotiation mode in phase 1 as the aggressive mode.

[DeviceC-ike-profile-RTB] exchange-mode aggressive

# Configure the FQDN name zongbu as the local ID.

[DeviceC-ike-profile-RTB] local-identity fqdn zongbu

# Configure the peer ID as FQDN name RTB.

[DeviceC-ike-profile-RTB] match remote identity fqdn RTB

# Specify IKE proposal 1 for the IKE profile.

[DeviceC-ike-profile-RTB] proposal 1

[DeviceC-ike-profile-RTB] quit

9.     Configure an IPsec transform set:

# Create IPsec transform set 1.

[DeviceC] ipsec transform-set 1

# Set the packet encapsulation mode to tunnel.

[DeviceC-ipsec-transform-set-1] encapsulation-mode tunnel

# Use the ESP protocol for the IPsec transform set.

[DeviceC-ipsec-transform-set-1] protocol esp

# Specify the encryption and authentication algorithms used by ESP.

[DeviceC-ipsec-transform-set-1] esp encryption-algorithm 3des-cbc

[DeviceC-ipsec-transform-set-1] esp authentication-algorithm md5

[DeviceC-ipsec-transform-set-1] quit

10.     Configure an IPsec policy template:

# Create and configure an IPsec policy template named t1 with a sequence number of 1.

[DeviceC] ipsec policy-template t1 1

[DeviceC-ipsec-policy-template-t1-1] security acl 3000

[DeviceC-ipsec-policy-template-t1-1] ike-profile RTA

[DeviceC-ipsec-policy-template-t1-1] transform-set 1

[DeviceC-ipsec-policy-template-t1-1] quit

# Create and configure an IPsec policy template named t2 with a sequence number of 1.

[DeviceC] ipsec policy-template t2 1

[DeviceC-ipsec-policy-template-t2-1] security acl 3001

[DeviceC-ipsec-policy-template-t2-1] ike-profile RTB

[DeviceC-ipsec-policy-template-t2-1] transform-set 1

[DeviceC-ipsec-policy-template-t2-1] quit

11.     Configure an IKE-based IPsec policy:

# Create and configure an IPsec policy named zongbu with a sequence number of 1, based on IPsec policy template t1.

[DeviceC] ipsec policy zongbu 1 isakmp template t1

# Create and configure an IPsec policy named zongbu with a  sequence number of 2, based on IPsec policy template t2.

[DeviceC] ipsec policy zongbu 2 isakmp template t2

12.     Apply the IPsec policy to an interface:

Apply IPsec policy zongbu to GigabitEthernet 1/0/2.

[DeviceC] interface gigabitethernet 1/0/2

[DeviceC-GigabitEthernet1/0/2] ipsec apply policy zongbu

[DeviceC-GigabitEthernet1/0/2] quit

Verifying the configuration

# Initiate a connection from Host A to Host C to trigger IKE negotiation. Verify that you can successfully ping 192.168.2.2 from 192.168.1.2 after the IPsec tunnel is successfully established.

C:\Users> ping 192.168.2.2

 

Pinging 192.168.2.2 with 32 bytes of data:

Request timed out.

Reply from 192.168.2.2: bytes=32 time=2ms TTL=254

Reply from 192.168.2.2: bytes=32 time=2ms TTL=254

Reply from 192.168.2.2: bytes=32 time=1ms TTL=254

 

Ping statistics for 192.168.2.2:

    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 2ms, Average = 1ms

# Device A obtains IP address 2.2.2.1 through PPPoE dialup. Use the display ike sa command on Device A to verify that the phase 1 SA is established normally.

<DeviceA> display ike sa

    Connection-ID   Remote                Flag         DOI

------------------------------------------------------------------

    13              1.1.1.1/500           RD           IPsec

Flags:

RD--READY RL--REPLACED FD-FADING

<DeviceA> display ike sa verbose

   -----------------------------------------------

   Connection ID: 13

   Outside VPN:

   Inside VPN:

   Profile: RTA

   Transmitting entity: Initiator

   Initiator cookie: 1bcf453f0a217259

   Responder cookie: 5e32a74dfa66a0a4

   Output interface index: 2

   -----------------------------------------------

   Local IP/port: 2.2.2.1/500

   Local ID type: FQDN

   Local ID: RTA

 

   Remote IP/port: 1.1.1.1/500

   Remote ID type: IPV4_ADDR

   Remote ID: 1.1.1.1

 

   Authentication-method: PRE-SHARED-KEY

   Authentication-algorithm: MD5

   Encryption-algorithm: 3DES-CBC

 

   Life duration(sec): 86400

   Remaining key duration(sec): 84565

   Exchange-mode: Aggressive

   Diffie-Hellman group: Group 1

   NAT traversal: Detected

 

   Extend authentication: Disabled

   Assigned IP address:

   Vendor ID index: 0xa1d

   Vendor ID sequence number: 0x0

# On Device A, use the display ipsec sa command to view the IPsec SA created by phase 2 IKE negotiation.

<DeviceA> display ipsec sa

-------------------------------

Interface: Dialer10

-------------------------------

 

  -----------------------------

  IPsec policy: RTA

  Sequence number: 1

  Alias: RTA-1

  Mode: ISAKMP

  -----------------------------

    Tunnel id: 0

    Encapsulation mode: tunnel

    Perfect forward secrecy:

    Inside VPN:

    Extended Sequence Numbers enable: N

    Traffic Flow Confidentiality enable: N

    Transmitting entity: Initiator

    Path MTU: 1435

    Tunnel:

        local  address/port: 2.2.2.1/500

        remote address/port: 1.1.1.1/500

    Flow:

        sour addr: 192.168.1.0/255.255.255.0  port: 0  protocol: ip

        dest addr: 192.168.2.0/255.255.255.0  port: 0  protocol: ip

    [Inbound ESP SAs]

      SPI: 830667426 (0x3182faa2)

      Connection ID: 90194313219

      Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843200/2313

      Max received sequence-number:

      Anti-replay check enable: Y

      Anti-replay window size: 64

      UDP encapsulation used for NAT traversal: Y

      Status: Active

 

    [Outbound ESP SAs]

      SPI: 3516214669 (0xd1952d8d)

      Connection ID: 64424509441

      Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843200/2313

      Max sent sequence-number:

      UDP encapsulation used for NAT traversal: Y

      Status: Active

Configuration files

·     Device A:

#

interface GigabitEthernet1/0/1

 ip address 192.168.1.1 255.255.255.0

#

interface Dialer10

 ipsec apply policy RTA

#

acl number 3000

 rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

 rule 1 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

#

ipsec transform-set 1

 encapsulation-mode tunnel

 protocol esp

 esp encryption-algorithm 3des-cbc

 esp authentication-algorithm md5

#

ipsec policy RTA 1 isakmp

 ike-profile RTA

 remote-address 1.1.1.1

 security acl 3000

 transform-set 1

#

ike identity fqdn RTA

#

ike keychain RTA

 pre-shared-key address 1.1.1.1 255.255.255.0 key cipher $c$3$n6jdlYtuR+K6mijQ8

qp4hMMjV/iteA==

#

ike profile RTA

 keychain RTA

 exchange-mode aggressive

 local-identity fqdn RTA

 match remote identity fqdn zongbu

 proposal 1

#

ike proposal 1

 authentication-algorithm md5

 encryption-algorithm 3des-cbc

#

·     Device B:

#

interface GigabitEthernet1/0/1

 ip address 192.168.3.1 255.255.255.0

#

interface Dialer10

 ipsec apply policy RTB

#

acl number 3000

 rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

 rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

#

ipsec transform-set 1

 encapsulation-mode tunnel

 protocol esp

 esp encryption-algorithm 3des-cbc

 esp authentication-algorithm md5

#

ipsec policy RTB 1 isakmp

 transform-set 1

 security acl 3000

 remote-address 1.1.1.1

 ike-profile RTB

#

ike identity fqdn RTB

#

ike keychain RTB

 pre-shared-key address 1.1.1.1 255.255.255.0 key cipher $c$3$n6jdlYtuR+K6mijQ8

qp4hMMjV/iteA==

#

ike profile RTB

 keychain RTB

 exchange-mode aggressive

 local-identity fqdn RTB

 match remote identity fqdn zongbu

 proposal 1

#

ike proposal 1

 authentication-algorithm md5

 encryption-algorithm 3des-cbc

#

·     Device C:

#

interface GigabitEthernet1/0/1

 ip address 192.168.2.1 255.255.255.0

#

interface GigabitEthernet1/0/2

 ip address 1.1.1.1 255.255.255.0

 ipsec apply policy zongbu

#

acl number 3000

 rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

 rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

#

acl number 3001

 rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

 rule 1 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

#

ipsec transform-set 1

 encapsulation-mode tunnel

 protocol esp

 esp encryption-algorithm 3des-cbc

 esp authentication-algorithm md5

#

#

ipsec policy-template t1 1

 security acl 3000

 ike-profile RTA

 transform-set 1

#

#

ipsec policy-template t2 1

 security acl 3001

 ike-profile RTB

 transform-set 1

#

ipsec policy zongbu 1 isakmp template t1

ipsec policy zongbu 2 isakmp template t2

#

#

ike identity fqdn zongbu

#

ike keychain RTA

 pre-shared-key hostname RTA key cipher $c$3$7tvgEkFh6On3KIybUaywz5NDiHtwJqU=

#

ike keychain RTB

 pre-shared-key hostname RTB key cipher $c$3$3ErJJ2M1lhES32CdsR3ofs5CdLvPJGk=

#

ike profile RTA

 keychain RTA

 exchange-mode aggressive

 local-identity fqdn zongbu

 match remote identity fqdn RTA

 proposal 1

#

ike profile RTB

 keychain RTB

 exchange-mode aggressive

 local-identity fqdn zongbu

 match remote identity fqdn RTB

 proposal 1

#

ike proposal 1

 authentication-algorithm md5

 encryption-algorithm 3des-cbc

#