The configuration of IPSEC aggressive mode and NAT traserval for SR66 series router

 

 

 

The configuration of IPSEC aggressive mode and NAT traserval for SR66 series router

 

 

 

 

一、  Customer requirements：

The branch links to center’s intranet. Router A’s serial2/0 has a static address and Router B uses dynamic address. We need configure NAT traserval on Router B to ensure information secure.

二、  Topology：

 

 

三、    Active Configurations：

(1) Router A configuration

# configure local ike name

<RouterA> system-view

[RouterA] ike local-name routera

# configure acl

[RouterA] acl number 3101 match-order auto

[RouterA-acl-adv-3101] rule permit ip source any destination any

[RouterA-acl-adv-3101] quit

# configure ip pool

[RouterA] ip pool 1 10.0.0.2 10.0.0.10

# configure IKE peer

[RouterA] ike peer peer

[RouterA-ike-peer-peer] exchange-mode aggressive

[RouterA-ike-peer-peer] pre-shared-key abc

[RouterA-ike-peer-peer] id-type name

[RouterA-ike-peer-peer] remote-name routerb

[RouterA-ike-peer-peer] quit

# configure IPSec secure proposal

[RouterA] ipsec proposal prop

[RouterA-ipsec-proposal-prop] encapsulation-mode tunnel

[RouterA-ipsec-proposal-prop] transform esp

[RouterA-ipsec-proposal-prop] esp encryption-algorithm des

[RouterA-ipsec-proposal-prop] esp authentication-algorithm sha1

[RouterA-ipsec-proposal-prop] quit

# configure secure policy

[RouterA] ipsec policy policy 10 isakmp

[RouterA-ipsec-policy-isakmp-policy-10] ike-peer peer

[RouterA-ipsec-policy-isakmp-policy-10] security acl 3101

[RouterA-ipsec-policy-isakmp-policy-10] proposal prop

[RouterA-ipsec-policy-isakmp-policy-10] quit

# configure the ip address of Serial2/0

[RouterA] interface serial 2/0

[RouterA-Serial2/0] ip address 100.0.0.1 255.255.0.0

# using secure policy

[RouterA-Serial2/0] ipsec policy policy

[RouterA-Serial2/0] remote address pool 1

(2)Router B configuration

# configure local ike name

<RouterB> system-view

[RouterB] ike local-name routerb

# configure acl。

[RouterB] acl number 3101 match-order auto

[RouterB-acl-adv-3101] rule permit ip source any destination any

[RouterB-acl-adv-3101] quit

# configure IKE peer。

[RouterB] ike peer peer

[RouterB-ike-peer-peer] exchange-mode aggressive

[RouterB-ike-peer-peer] pre-shared-key abc

[RouterB-ike-peer-peer] id-type name

[RouterB-ike-peer-peer] remote-name routera

[RouterB-ike-peer-peer] remote-ip 10.0.0.1

[RouterB-ike-peer-peer] nat traversal

[RouterB-ike-peer-peer] quit

# configure IPSec proposal

[RouterB] ipsec proposal prop

[RouterB-ipsec-proposal-prop] encapsulation-mode tunnel

[RouterB-ipsec-proposal-prop] transform esp

[RouterB-ipsec-proposal-prop] esp encryption-algorithm des

[RouterB-ipsec-proposal-prop] esp authentication-algorithm sha1

[RouterB-ipsec-proposal-prop] quit

# configure secure policy

[RouterB] ipsec policy policy 10 isakmp

[RouterB-ipsec-policy-isakmp-policy-10] ike-peer peer

[RouterB-ipsec-policy-isakmp-policy-10] security acl 3101

[RouterB-ipsec-policy-isakmp-policy-10] proposal prop

[RouterB-ipsec-policy-isakmp-policy-10] quit

# configure the ip address of Serial2/0

[RouterB] interface serial 2/0

[RouterB-Serial2/0] ip address ppp-negotiate

# using secure policy

 [RouterB-Serial2/0] ipsec policy policy