The branches of an enterprise access the headquarters through IPsec VPN. Device A is the headquarters gateway. Device B and Device C are the branch gateways.
Establish an IPsec tunnel between the headquarters gateway and each branch gateway to protect the data between the headquarters network (4.4.4.0/24) and the branch networks (5.5.5.0/24 and 6.6.6.0/24)
Configure the headquarters gateway Device A to use an IKE-based IPsec policy template and the branch gateways Device B and Device C to use an IKE-based IPsec policy to establish the IPsec tunnels.
Use the ESP security protocol, DES encryption algorithm, and HMAC-SHA-1-96 authentication algorithm to establish IPsec SAs.
Use the preshared key authentication mode, 3DES encryption algorithm, and HMAC-SHA1 authentication algorithm for IKE negotiation.
Figure 1 Network diagram
This configuration example was created and verified on R9071 of the M9000-AI-E8 device.
1. Assign IP addresses to interfaces:
# Assign an IP address to interface GigabitEthernet 1/0/1.
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
2. Configure settings for routing.
This example configures static routes, and the next hop in the routes is 1.1.1.2.
[DeviceA] ip route-static 2.2.2.2 24 1.1.1.2
[DeviceA] ip route-static 3.3.3.3 24 1.1.1.2
[DeviceA] ip route-static 5.5.5.0 255.255.255.0 1.1.1.2
[DeviceA] ip route-static 6.6.6.0 255.255.255.0 1.1.1.2
3. Add interfaces to security zones.
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Untrust] quit
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Trust] quit
4. Configure a security policy:
Configure rules to permit traffic between the Untrust and Local security zones, so the devices can set up an IPsec tunnel:
# Configure a rule named ipseclocalout1 to allow Device A to send IPsec negotiation packets to Device B.
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name ipseclocalout1
[DeviceA-security-policy-ip-1-ipseclocalout1] source-zone local
[DeviceA-security-policy-ip-1-ipseclocalout1] destination-zone untrust
[DeviceA-security-policy-ip-1-ipseclocalout1] source-ip-host 1.1.1.1
[DeviceA-security-policy-ip-1-ipseclocalout1] destination-ip-host 2.2.2.2
[DeviceA-security-policy-ip-1-ipseclocalout1] action pass
[DeviceA-security-policy-ip-1-ipseclocalout1] quit
# Configure a rule named ipseclocalin1 to allow Device A to receive the IPsec negotiation packets sent from Device B.
[DeviceA-security-policy-ip] rule name ipseclocalin1
[DeviceA-security-policy-ip-2-ipseclocalin1] source-zone untrust
[DeviceA-security-policy-ip-2-ipseclocalin1] destination-zone local
[DeviceA-security-policy-ip-2-ipseclocalin1] source-ip-host 2.2.2.2
[DeviceA-security-policy-ip-2-ipseclocalin1] destination-ip-host 1.1.1.1
[DeviceA-security-policy-ip-2-ipseclocalin1] action pass
[DeviceA-security-policy-ip-2-ipseclocalin1] quit
# Configure a rule named ipseclocalout2 to allow Device A to send IPsec negotiation packets to Device C.
[DeviceA-security-policy-ip] rule name ipseclocalout2
[DeviceA-security-policy-ip-3-ipseclocalout2] source-zone local
[DeviceA-security-policy-ip-3-ipseclocalout2] destination-zone untrust
[DeviceA-security-policy-ip-3-ipseclocalout2] source-ip-host 1.1.1.1
[DeviceA-security-policy-ip-3-ipseclocalout2] destination-ip-host 3.3.3.3
[DeviceA-security-policy-ip-3-ipseclocalout2] action pass
[DeviceA-security-policy-ip-3-ipseclocalout2] quit
# Configure a rule named ipseclocalin2 to allow Device A to receive the IPsec negotiation packets sent from Device C.
[DeviceA-security-policy-ip] rule name ipseclocalin2
[DeviceA-security-policy-ip-4-ipseclocalin2] source-zone untrust
[DeviceA-security-policy-ip-4-ipseclocalin2] destination-zone local
[DeviceA-security-policy-ip-4-ipseclocalin2] source-ip-host 3.3.3.3
[DeviceA-security-policy-ip-4-ipseclocalin2] destination-ip-host 1.1.1.1
[DeviceA-security-policy-ip-4-ipseclocalin2] action pass
[DeviceA-security-policy-ip-4-ipseclocalin2] quit
Configure rules to permit the traffic between Host A and Host B or Host C:
# Configure a rule named trust-untrust to permit the packets from Host A to Host B.
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-5-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-5-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-5-trust-untrust] source-ip-subnet 4.4.4.0 24
[DeviceA-security-policy-ip-5-trust-untrust] destination-ip-subnet 5.5.5.0 24
[DeviceA-security-policy-ip-5-trust-untrust] action pass
[DeviceA-security-policy-ip-5-trust-untrust] quit
# Configure a rule named untrust-trust to permit the packets from Host B to Host A.
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-6-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-6-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-6-untrust-trust] source-ip-subnet 5.5.5.0 24
[DeviceA-security-policy-ip-6-untrust-trust] destination-ip-subnet 4.4.4.0 24
[DeviceA-security-policy-ip-6-untrust-trust] action pass
[DeviceA-security-policy-ip-6-untrust-trust] quit
# Configure a rule named trust-untrust to permit the packets from Host A to Host C.
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-7-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-7-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-7-trust-untrust] source-ip-subnet 4.4.4.0 24
[DeviceA-security-policy-ip-7-trust-untrust] destination-ip-subnet 6.6.6.0 24
[DeviceA-security-policy-ip-7-trust-untrust] action pass
[DeviceA-security-policy-ip-7-trust-untrust] quit
# Configure a rule named untrust-trust to permit the packets from Host C to Host A.
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-8-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-8-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-8-untrust-trust] source-ip-subnet 6.6.6.0 24
[DeviceA-security-policy-ip-8-untrust-trust] destination-ip-subnet 4.4.4.0 24
[DeviceA-security-policy-ip-8-untrust-trust] action pass
[DeviceA-security-policy-ip-8-untrust-trust] quit
[DeviceA-security-policy-ip] quit
5. Configure an IPsec transform set to specify the packet encapsulation mode, security protocols, and algorithms. The IPsec transform set settings at both sides of the IPsec tunnel must be the same.
[DeviceA] ipsec transform-set tran1
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceA-ipsec-transform-set-tran1] protocol esp
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
6. Configure IKE keychains to specify the keys information used for IKE communication between peers.
# Create an IKE keychain named key1 to specify the preshared key as 123 for communication with peer 2.2.2.2.
[DeviceA] ike keychain key1
[DeviceA-ike-keychain-key1] pre-shared-key address 2.2.2.2 key simple 123
[DeviceA-ike-keychain-key1] quit
# Create an IKE keychain named key2 to specify the preshared key as 456 for communication with peer 3.3.3.3.
[DeviceA] ike keychain key2
[DeviceA-ike-keychain-key2] pre-shared-key address 3.3.3.3 key simple 456
[DeviceA-ike-keychain-key2] quit
7. Configure an IKE profile to specify the security parameters used for setting up IKE SAs.
[DeviceA] ike profile profile1
[DeviceA-ike-profile-profile1] keychain key1
[DeviceA-ike-profile-profile1] keychain key2
[DeviceA-ike-profile-profile1] match remote identity address 2.2.2.2 255.255.255.0
[DeviceA-ike-profile-profile1] match remote identity address 3.3.3.3 255.255.255.0
[DeviceA-ike-profile-profile1] quit
8. Configure an IPsec policy template, which is used to create an IPsec policy:
# Create an IPsec policy template named temp1. Specify the IPsec transform set tran1 and IKE profile profile1 for the template.
[DeviceA] ipsec policy-template temp1 1
[DeviceA-ipsec-policy-template-temp1-1] transform-set tran1
[DeviceA-ipsec-policy-template-temp1-1] ike-profile profile1
9. Create an IKE-based IPsec policy entry by using IPsec policy template temp1, so as to establish the IPsec tunnel to protect data.
[DeviceA] ipsec policy map1 10 isakmp template temp1
10. Configure an IKE proposal to specify the security parameters used for IKE negotiation.
# Create an IKE proposal named 1, which uses the 3DES encryption algorithm, HMAC-SHA1 authentication algorithm, and preshared key authentication method.
[DeviceA] ike proposal 1
[DeviceA-ike-proposal-1] encryption-algorithm 3des-cbc
[DeviceA-ike-proposal-1] authentication-algorithm sha
[DeviceA-ike-proposal-1] authentication-method pre-share
[DeviceA-ike-proposal-1] quit
11. Apply the IPsec policy to interface GigabitEthernet 1/0/1 to protect traffic on the interface.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ipsec apply policy map1
[DeviceA-GigabitEthernet1/0/1] quit
1. Assign IP addresses to interfaces:
# Assign an IP address to interface GigabitEthernet 1/0/1.
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 2.2.2.2 255.255.255.0
[DeviceB-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
2. Configure settings for routing.
This example configures static routes, and the next hop in the routes is 2.2.2.3.
[DeviceB] ip route-static 4.4.4.0 24 2.2.2.3
[DeviceB] ip route-static 1.1.1.1 24 2.2.2.3
3. Add interfaces to security zones.
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Untrust] quit
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Trust] quit
4. Configure a security policy:
Configure rules to permit traffic between the Untrust and Local security zones, so the devices can set up an IPsec tunnel:
# Configure a rule named ipseclocalout to allow Device B to send IPsec negotiation packets to Device A.
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name ipseclocalout
[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.2
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1
[DeviceB-security-policy-ip-1-ipseclocalout] action pass
[DeviceB-security-policy-ip-1-ipseclocalout] quit
# Configure a rule named ipseclocalin to allow Device B to receive the IPsec negotiation packets sent from Device A.
[DeviceB-security-policy-ip] rule name ipseclocalin
[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1
[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.2
[DeviceB-security-policy-ip-2-ipseclocalin] action pass
[DeviceB-security-policy-ip-2-ipseclocalin] quit
Configure rules to permit traffic between Host B and Host A:
# Configure a rule named trust-untrust to permit the packets from Host B to Host A.
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 5.5.5.0 24
[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 4.4.4.0 24
[DeviceB-security-policy-ip-3-trust-untrust] action pass
[DeviceB-security-policy-ip-3-trust-untrust] quit
# Configure a rule named untrust-trust to permit the packets from Host A to Host B.
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 4.4.4.0 24
[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 5.5.5.0 24
[DeviceB-security-policy-ip-4-untrust-trust] action pass
[DeviceB-security-policy-ip-4-untrust-trust] quit
[DeviceB-security-policy-ip] quit
5. Define the data flows to be protected:
# Configure an IPv4 advanced ACL to identify data flows from subnet 5.5.5.0/24 to subnet 4.4.4.0/24.
[DeviceB] acl advanced 3000
[DeviceB-acl-ipv4-adv-3000] rule permit ip source 5.5.5.0 0.0.0.255 destination 4.4.4.0 0.0.0.255
[DeviceB-acl-ipv4-adv-3000] quit
6. Configure an IPsec transform set to specify the packet encapsulation mode, security protocols, and algorithms. The IPsec transform set settings at both sides of the IPsec tunnel must be the same.
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceB-ipsec-transform-set-tran1] protocol esp
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
7. Configure an IKE keychain to specify the key information used for IKE communication.
# Create an IKE keychain named key1 to specify the preshared key as 123 for communication with peer 1.1.1.1.
[DeviceB] ike keychain key1
[DeviceB-ike-keychain-key1] pre-shared-key address 1.1.1.1 key simple 123
[DeviceB-ike-keychain-key1] quit
8. Configure an IKE profile to specify the security parameters used for setting up IKE SAs.
[DeviceB] ike profile profile1
[DeviceB-ike-profile-profile1] keychain key1
[DeviceB-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0
[DeviceB-ike-profile-profile1] quit
9. Configure an IPsec policy, so as to establish the IPsec tunnel to protect data:
# Create an IKE-based IPsec policy entry, which specifies the ACL for IPsec, IPsec transform set, local and remote IP addresses, and IKE profile.
[DeviceB] ipsec policy map1 10 isakmp
[DeviceB-ipsec-policy-isakmp-map1-10] transform-set tran1
[DeviceB-ipsec-policy-isakmp-map1-10] security acl 3000
[DeviceB-ipsec-policy-isakmp-map1-10] local-address 2.2.2.2
[DeviceB-ipsec-policy-isakmp-map1-10] remote-address 1.1.1.1
[DeviceB-ipsec-policy-isakmp-map1-10] ike-profile profile1
[DeviceB-ipsec-policy-isakmp-map1-10] quit
10. Configure an IKE proposal to specify the security parameters used for IKE negotiation.
# Create an IKE proposal named 1, which uses the 3DES encryption algorithm, HMAC-SHA1 authentication algorithm, and preshared key authentication method.
[DeviceB] ike proposal 1
[DeviceB-ike-proposal-1] encryption-algorithm 3des-cbc
[DeviceB-ike-proposal-1] authentication-algorithm sha
[DeviceB-ike-proposal-1] authentication-method pre-share
[DeviceB-ike-proposal-1] quit
11. Apply the IPsec policy to interface GigabitEthernet 1/0/1 to protect traffic on the interface.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ipsec apply policy map1
[DeviceB-GigabitEthernet1/0/1] quit
1. Assign IP addresses to interfaces:
# Assign an IP address to interface GigabitEthernet 1/0/1.
<DeviceC> system-view
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] ip address 3.3.3.3 255.255.255.0
[DeviceC-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
2. Configure settings for routing.
This example configures static routes, and the next hop in the routes is 3.3.3.4
[DeviceC] ip route-static 4.4.4.0 24 3.3.3.4
[DeviceC] ip route-static 1.1.1.1 24 3.3.3.4
3. Add interfaces to security zones.
[DeviceC] security-zone name untrust
[DeviceC-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceC-security-zone-Untrust] quit
[DeviceC] security-zone name trust
[DeviceC-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceC-security-zone-Trust] quit
4. Configure a security policy:
Configure rules to permit traffic between the Untrust and Local security zones, so the devices can set up an IPsec tunnel:
# Configure a rule named ipseclocalout to allow Device C to send IPsec negotiation packets to Device A.
[DeviceC] security-policy ip
[DeviceC-security-policy-ip] rule name ipseclocalout
[DeviceC-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceC-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceC-security-policy-ip-1-ipseclocalout] source-ip-host 3.3.3.3
[DeviceC-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1
[DeviceC-security-policy-ip-1-ipseclocalout] action pass
[DeviceC-security-policy-ip-1-ipseclocalout] quit
# Configure a rule named ipseclocalin to allow Device C to receive the IPsec negotiation packets sent from Device A.
[DeviceC-security-policy-ip] rule name ipseclocalin
[DeviceC-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceC-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceC-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1
[DeviceC-security-policy-ip-2-ipseclocalin] destination-ip-host 3.3.3.3
[DeviceC-security-policy-ip-2-ipseclocalin] action pass
[DeviceC-security-policy-ip-2-ipseclocalin] quit
Configure rules to permit traffic between Host C and Host A:
# Configure a rule named trust-untrust to permit the packets from Host C to Host A.
[DeviceC-security-policy-ip] rule name trust-untrust
[DeviceC-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceC-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceC-security-policy-ip-3-trust-untrust] source-ip-subnet 6.6.6.0 24
[DeviceC-security-policy-ip-3-trust-untrust] destination-ip-subnet 4.4.4.0 24
[DeviceC-security-policy-ip-3-trust-untrust] action pass
[DeviceC-security-policy-ip-3-trust-untrust] quit
# Configure a rule named untrust-trust to permit the packets from Host A to Host C.
[DeviceC-security-policy-ip] rule name untrust-trust
[DeviceC-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceC-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceC-security-policy-ip-4-untrust-trust] source-ip-subnet 4.4.4.0 24
[DeviceC-security-policy-ip-4-untrust-trust] destination-ip-subnet 6.6.6.0 24
[DeviceC-security-policy-ip-4-untrust-trust] action pass
[DeviceC-security-policy-ip-4-untrust-trust] quit
[DeviceC-security-policy-ip] quit
5. Define the data flows to be protected:
# Configure an IPv4 advanced ACL to identify data flows from subnet 6.6.6.0/24 to subnet 4.4.4.0/24.
[DeviceC] acl advanced 3000
[DeviceC-acl-ipv4-adv-3000] rule permit ip source 6.6.6.0 0.0.0.255 destination 4.4.4.0 0.0.0.255
[DeviceC-acl-ipv4-adv-3000] quit
6. Configure an IPsec transform set to specify the packet encapsulation mode, security protocols, and algorithms. The IPsec transform set settings at both sides of the IPsec tunnel must be the same.
[DeviceC] ipsec transform-set tran1
[DeviceC-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceC-ipsec-transform-set-tran1] protocol esp
[DeviceC-ipsec-transform-set-tran1] esp encryption-algorithm des
[DeviceC-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceC-ipsec-transform-set-tran1] quit
7. Configure an IKE keychain to specify the key information used for IKE communication.
# Create an IKE keychain named key1 to specify the preshared key as 456 for communication with peer 1.1.1.1.
[DeviceC] ike keychain key1
[DeviceC-ike-keychain-key1] pre-shared-key address 1.1.1.1 key simple 456
[DeviceC-ike-keychain-key1] quit
8. Configure an IKE profile to specify the security parameters used for setting up IKE SAs.
[DeviceC] ike profile profile1
[DeviceC-ike-profile-profile1] keychain key1
[DeviceC-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0
[DeviceC-ike-profile-profile1] quit
9. Configure an IPsec policy, so as to establish the IPsec tunnel to protect data:
# Create an IKE-based IPsec policy entry, which specifies the ACL for IPsec, IPsec transform set, local and remote IP addresses, and IKE profile.
[DeviceC] ipsec policy map1 10 isakmp
[DeviceC-ipsec-policy-isakmp-map1-10] transform-set tran1
[DeviceC-ipsec-policy-isakmp-map1-10] security acl 3000
[DeviceC-ipsec-policy-isakmp-map1-10] local-address 3.3.3.3
[DeviceC-ipsec-policy-isakmp-map1-10] remote-address 1.1.1.1
[DeviceC-ipsec-policy-isakmp-map1-10] ike-profile profile1
[DeviceC-ipsec-policy-isakmp-map1-10] quit
10. Apply the IPsec policy to interface GigabitEthernet 1/0/1 to protect traffic on the interface.
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] ipsec apply policy map1
[DeviceC-GigabitEthernet1/0/1] quit
# Initiate a connection from headquarters subnet 5.5.5.0/24 to branch subnet 4.4.4.0/24 to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, the traffic between the two subnets is IPsec-protected.
# Display IKE SAs on Device A.
[DeviceA] display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
1 2.2.2.2/500 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
# Display IPsec SAs on Device A.
[DeviceA] display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/1
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: Template
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1463
Tunnel:
local address/port: 1.1.1.1/500
remote address/port: 2.2.2.2/500
Flow:
sour addr: 4.4.4.0/255.255.255.0 port: 0 protocol: ip
dest addr: 5.5.5.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 1014286405 (0x3c74c845)
Connection ID: 1
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3590
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 4011716027 (0xef1dedbb)
Connection ID: 2
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3590
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N
Status: Active
Device A
#
interface GigabitEthernet1/0/1
ip address 1.1.1.1 255.255.255.0
ipsec apply policy map1
#
interface GigabitEthernet1/0/2
ip address 4.4.4.1 255.255.255.0
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
ip route-static 2.2.2.0 24 1.1.1.2
ip route-static 3.3.3.0 24 1.1.1.2
ip route-static 5.5.5.0 24 1.1.1.2
ip route-static 6.6.6.0 24 1.1.1.2
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec policy-template temp1 1
transform-set tran1
ike-profile profile1
#
ipsec policy map1 10 isakmp template temp1
#
ike profile profile1
keychain key1
keychain key2
match remote identity address 2.2.2.2 255.255.255.0
match remote identity address 3.3.3.3 255.255.255.0
#
ike proposal 1
encryption-algorithm 3des-cbc
#
ike keychain key1
pre-shared-key address 2.2.2.2 255.255.255.255 key simple 123
#
ike keychain key2
pre-shared-key address 3.3.3.3 255.255.255.255 key simple 456
#
security-policy ip
rule 0 name ipseclocalout1
action pass
source-zone local
destination-zone untrust
source-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
rule 1 name ipseclocalin1
action pass
source-zone untrust
destination-zone local
source-ip-host 2.2.2.2
destination-ip-host 1.1.1.1
rule 2 name ipseclocalout2
action pass
source-zone local
destination-zone untrust
source-ip-host 1.1.1.1
destination-ip-host 3.3.3.3
rule 3 name ipseclocalin2
action pass
source-zone untrust
destination-zone local
source-ip-host 3.3.3.3
destination-ip-host 1.1.1.1
rule 4 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 4.4.4.0 255.255.255.0
destination-ip-subnet 5.5.5.0 255.255.255.0
destination-ip-subnet 6.6.6.0 255.255.255.0
rule 5 name untrust-trust
action pass
source-zone untrust
destination-zone trust
source-ip-subnet 5.5.5.0 255.255.255.0
source-ip-subnet 6.6.6.0 255.255.255.0
destination-ip-subnet 4.4.4.0 255.255.255.0
#
Device B
#
interface GigabitEthernet1/0/1
ip address 2.2.2.2 255.255.255.0
ipsec apply policy map1
#
interface GigabitEthernet1/0/2
ip address 5.5.5.1 255.255.255.0
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
ip route-static 1.1.1.0 24 2.2.2.3
ip route-static 4.4.4.0 24 2.2.2.3
#
acl advanced 3000
rule 0 permit ip source 5.5.5.0 0.0.0.255 destination 4.4.4.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec policy map1 10 isakmp
transform-set tran1
security acl 3000
local-address 2.2.2.2
remote-address 1.1.1.1
ike-profile profile1
#
ike profile profile1
keychain key1
match remote identity address 1.1.1.1 255.255.255.0
#
ike proposal 1
encryption-algorithm 3des-cbc
#
ike keychain key1
pre-shared-key address 1.1.1.1 255.255.255.255 key simple 123
#
security-policy ip
rule 0 name ipseclocalout
action pass
source-zone local
destination-zone untrust
source-ip-host 2.2.2.2
destination-ip-host 1.1.1.1
rule 1 name ipseclocalin
action pass
source-zone untrust
destination-zone local
source-ip-host 1.1.1.1
destination-ip-host 2.2.2.2
rule 2 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 5.5.5.0 255.255.255.0
destination-ip-subnet 4.4.4.0 255.255.255.0
rule 3 name untrust-trust
action pass
source-zone untrust
destination-zone trust
source-ip-subnet 4.4.4.0 255.255.255.0
destination-ip-subnet 5.5.5.0 255.255.255.0
#
Device C
#
interface GigabitEthernet1/0/1
ip address 3.3.3.3 255.255.255.0
ipsec apply policy map1
#
interface GigabitEthernet1/0/2
ip address 6.6.6.1 255.255.255.0
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
ip route-static 1.1.1.0 24 3.3.3.4
ip route-static 4.4.4.0 24 3.3.3.4
#
acl advanced 3000
rule 0 permit ip source 6.6.6.0 0.0.0.255 destination 4.4.4.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec policy map1 10 isakmp
transform-set tran1
security acl 3000
local-address 3.3.3.3
remote-address 1.1.1.1
ike-profile profile1
#
ike profile profile1
keychain key1
match remote identity address 1.1.1.1 255.255.255.0
#
ike keychain key1
pre-shared-key address 1.1.1.1 255.255.255.255 key simple 456
#
security-policy ip
rule 0 name ipseclocalout
action pass
source-zone local
destination-zone untrust
source-ip-host 3.3.3.3
destination-ip-host 1.1.1.1
rule 1 name ipseclocalin
action pass
source-zone untrust
destination-zone local
source-ip-host 1.1.1.1
destination-ip-host 3.3.3.3
rule 2 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 6.6.6.0 255.255.255.0
destination-ip-subnet 4.4.4.0 255.255.255.0
rule 3 name untrust-trust
action pass
source-zone untrust
destination-zone trust
source-ip-subnet 4.4.4.0 255.255.255.0
destination-ip-subnet 6.6.6.0 255.255.255.0