3Com 10014299 Network Router User Manual


 
582 CHAPTER 40: CONFIGURING IPSEC
m Configure corresponding IKE
[RouterB] ike pre-shared-key abcde remote 202.38.163.1
After the above configurations are completed, if the messages between Subnet
10.1.1.x and Subnet 10.1.2x transmits between Router-A and Router-B, IKE will be
triggered to negotiate to establish SA. After IKE negotiates successfully and SA is
established, the data stream between Subnet 10.1.1.x and Subnet 10.1.2.x will be
transmitted with encryption.
Encrypting, Decrypting,
and Authenticating
NDEC Cards
Establish a security tunnel between Router A and Router B to conduct security
protection to data stream between subnet (10.1.1.x) represented by PC A and
subnet (10.1.2.x) represented by PC B. It is to establish security association with
manual method. The security protocol adopts ESP protocol, and the encryption
algorithm adopts DES, and the authentication algorithm adopts sha1-hmac-96.
Figure 175 Establish networking diagram of security tunnel using crypto cards
1 Configure Router A
a Configure an access list and define a data stream from subnet 10.1.1.x to
subnet 10.1.1.2.x.
[RouterA] acl 101 permit
[RouterA-acl-101] rule permit ip source 10.1.1.0 0.0.0.255
destination 10.1.2.0 0.0.0.255
[RouterA-acl-101] rule deny ip source any destination any
b Establish proposal view of crypto card in the name of tran1.
[RouterA] crypto ipsec card-proposal tran1
c Adopt tunnel module for packets encapsulation form.
[RouterA-ipsec-card-proposal-tran1] encapsulation-mode tunnel
d Adopt ESP protocol for security protocol
[RouterA-ipsec-card-proposal-tran1] transform esp-new
e Select algorithm
[RouterA-ipsec-card-proposal-tran1] esp-new encryption-algorithm des
[RouterA-ipsec-card-proposal-tran1] esp-new authentication-algorithm
sha1-hmac-96
f Return to system view.
[RouterA-ipsec-card-proposal-tran1] quit
g Establish a security policy with manual negotiation mode.
[RouterA] ipsec policy policy1 10 manual
h Quote access list.
PC A
PC B
Internet
10.1.1.2
e0
10.1.1.1
s0
202.38.163.1
s0
202.38.162.1
10.1.2.2
e0
10.1.2.1
Router A
Router B