Support User Manuals

Black Box LR1102A-T1/E1 Network Router User Manual

Open as PDF

of 142

Example 3: Multiple IPSec Pro-

33

Step 11: After transit traffic is passed through the tunnel, display the IKE and IPSec SA tables.

Use the show crypto ike sa all and show crypto ipsec sa all commands.

4.4 Example 3: Multiple IPSec Proposals: Tunnel Mode

Between Two Black Box Security Gateways

The following example demonstrates how a security gateway can use multiple ipsec (phase2) proposals to form an IP security tunnel

to join two private networks: 10.0.1.0/24 and 10.0.2.0/24.

IKE Proposal offered by both Black Box1 and Black Box2:

 Phase 1: 3DES and SHA1

IPSec Proposals offered by Black Box1:

 Phase 2: Proposal1: IPSec ESP with DES and HMAC-SHA1

 Phase 2: Proposal2: IPSec ESP with AES (256-bit) and HMAC-SHA1

IPSec Proposal offered by Black Box2:

 Phase 2: Proposal1: IPSec ESP with AES (256-bit) and HMAC-SHA1

In this example, the Black Box1 router offers two IPSec proposals to the peer while the Black Box2 router offers only one

proposal. As a result of quick mode negotiation, the two routers are expected to converge on a mutually acceptable proposal,

which is the proposal “IPSec ESP with AES (256-bit) and HMAC-SHA1” in this example.

Figure 10 Tunnel Mode Between Two Black Box Security Gateways - Multiple Proposals

Step 1: Configure a WAN bundle of network type untrusted

Black Box1/configure/interface/bundle wan1> link t1 1

Black Box1/configure/interface/bundle wan1> encapsulation ppp

Black Box1/configure/interface/bundle wan1> ip address 172.16.0.1 24

Black Box1/configure/interface/bundle wan1> crypto untrusted

Black Box1/configure/interface/bundle wan1> exit

Step 2: Configure the Ethernet interface with trusted network type

Black Box1/configure> interface ethernet 0

message: Configuring existing Ethernet interface

Black Box1/configure interface/ethernet 0> ip address 10.0.1.1 24

Black Box1/configure/interface/ethernet 0> crypto trusted

Black Box1/configure/interface/ethernet 0> exit

Step 3: Display the crypto interfaces

UNTRUSTED

TRUSTED

TRUSTED

IPSec ESP

Tasman1

Tasman2

172.16.0.1

172.16.0.2

N

etwork

1

0.0.1.0/24

Network

10.0.2.0/2

4

BlackBox 2

BlackBox 1

previous next