580 CHAPTER 40: CONFIGURING IPSEC
[RouterB-Serial0] ipsec policy use1
[RouterB-Serial0] ip address 202.38.162.1 255.255.255.0
o Configure the route.
[RouterB] ip route-static 10.1.1.0 255.255.255.0 202.38.163.1
After the configuration is complete and the security tunnel between Router A and
Router B is established, the data stream between Subnet 10.1.1.x and Subnet
10.1.2.x will be transmitted with encryption.
Creating an SA in IKE
Negotiation Mode
Establish a security tunnel between Router A and Router B to perform security
protection for the data streams between PC-A represented subnet (10.1.1.x) and
PC-B represented subnet (10.1.2.x). The security protocol adopts ESP protocol,
algorithm adopts DES, and authentication algorithm adopts sha1-hmac-96. See
Figure 174 for an illustration of the configuration.
Prior to configuring, you should ensure that Router A and Router B can interwork
at the network layer through a serial interface.
1 Configure Router A:
a Configure an access list and define the data stream from Subnet 10.1.1x to
Subnet 10.1.2x.
[RouterA] acl 101
[RouterA-acl-101] rule permit ip source 10.1.1.0 0.0.0.255
destination 10.1.2.0 0.0.0.255
[RouterA-acl-101] rule deny ip source any destination any
b Create the IPSec proposal view named trans1
[RouterA] ipsec proposal tran1
c Adopt tunnel mode as the message-encapsulating form
[RouterA-ipsec-proposal-tran1] encapsulation-mode tunnel
d Adopt ESP protocol as security protocol
[RouterA-ipsec-proposal-tran1] transform esp-new
e Select authentication algorithm and encryption algorithm
[RouterA-ipsec-proposal-tran1] esp-new encryption-algorithm des
[RouterA-ipsec-proposal-tran1] esp-new authentication-algorithm
sha1-hmac-96
f Create a security policy with negotiation mode as isakmp
[RouterA] ipsec policy policy1 10 isakmp
g Set remote addresses
[RouterA-ipsec-policy-policy1-10] tunnel remote 202.38.162.1
h Quote IPSec proposal
[RouterA-ipsec-policy-policy1-10] proposal tran1
i Quote access list
[RouterA-ipsec-policy-policy1-10] security acl 101
j Exit to system view
[RouterA-ipsec-policy-policy1-10] quit
k Enter serial interface view