Configuration Examples

This section contains examples of two IPsec applications. The first example shows a customer who replaces a leased line network with an IPsec network that allows the company to connect its corporate locations over the Internet. The second example provides leased line replacement to two customers who use address schemes in the same range.

Configuration Notes

Both the local and remote identities shown in these examples serve two purposes:

In Figure 15 customer A is using Frame Relay to connect its corporate offices in three cities: Boston, Ottawa, and Boca.

Figure 15: Customer A's Corporate Frame Relay Network

Customer A's Corporate Frame Relay
Network

Customer A hires ISP-X to provide a leased line replacement over an IP infrastructure using IPsec. ISP-X can offer a replacement for long-haul Frame Relay links by creating IPsec tunnels to carry customer A's traffic securely between the sites over the public or ISP-provided IP network. This alternative costs only a fraction of the price of the Frame Relay links. Figure 16 shows the connectivity scheme.

Figure 16: ISP-X Uses ERX Routers to Connect Corporate Offices over the Internet

ISP-X Uses ERX Routers to Connect Corporate
Offices over the Internet

To configure the connections as shown in Figure 16:

  1. On each ERX router, create a protection suite that provides 3DES encryption with SHA-1 authentication on every packet.
    erx1(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha erx2(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha erx3(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha
  2. On each ERX router, create preshared keys for the three routers to use to authenticate each other:
    erx1(config)#ipsec key manual pre-share 100.2.0.1 erx1(config-manual-key)#key customerASecret erx1(config-manual-key)#exit erx1(config)#ipsec key manual pre-share 100.3.0.1 erx1(config-manual-key)#key customerASecret erx1(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 100.1.0.1 erx2(config-manual-key)#key customerASecret erx2(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 100.3.0.1 erx2(config-manual-key)#key customerASecret erx2(config-manual-key)#exit erx3(config)#ipsec key manual pre-share 100.1.0.1 erx3(config-manual-key)#exit erx3(config-manual-key)#key customerASecret erx3(config)#ipsec key manual pre-share 100.2.0.1 erx3(config-manual-key)#key customerASecret erx3(config-manual-key)#exit
  3. On erx1 create two IPsec tunnels, one to carry customer A's traffic between Ottawa and Boston and another to carry the traffic between Ottawa and Boca:

    Tunnel 1:

    erx1(config)#interface tunnel ipsec:Aottawa2boston erx1(config-if)#tunnel transform-set customerAprotection erx1(config-if)#tunnel local-identity subnet 200.1.0.0 255.255.0.0 erx1(config-if)#tunnel peer-identity subnet 200.3.0.0 255.255.0.0 erx1(config-if)#tunnel source 100.1.0.1 erx1(config-if)#tunnel destination 100.3.0.1 erx1(config-if)#ip address 200.3.0.0 255.255.0.0 erx1(config-if)#exit

    Tunnel 2:

    erx1(config)#interface tunnel ipsec:Aottawa2boca erx1(config-if)#tunnel transform-set customerAprotection erx1(config-if)#tunnel local-identity subnet 200.1.0.0 255.255.0.0 erx1(config-if)#tunnel peer-identity subnet 200.2.0.0 255.255.0.0 erx1(config-if)#tunnel source 100.1.0.1 erx1(config-if)#tunnel destination 100.2.0.1 erx1(config-if)#ip address 200.2.0.0 255.255.0.0 erx1(config-if)#exit
  4. On erx2 create two IPsec tunnels, one to carry customer A's traffic between Boca and Ottawa and another to carry the traffic between Boca and Boston:

    Tunnel 1:

    erx2(config)#interface tunnel ipsec:Aboca2ottawa erx2(config-if)#tunnel transform-set customerAprotection erx2(config-if)#tunnel local-identity subnet 200.2.0.0 255.255.0.0 erx2(config-if)#tunnel peer-identity subnet 200.1.0.0 255.255.0.0 erx2(config-if)#tunnel source 100.2.0.1 erx2(config-if)#tunnel destination 100.1.0.1 erx2(config-if)#ip address 200.1.0.0 255.255.0.0 erx2(config-if)#exit

    Tunnel 2:

    erx2(config)#interface tunnel ipsec:Aboca2boston erx2(config-if)#tunnel transform-set customerAprotection erx2(config-if)#tunnel local-identity subnet 200.2.0.0 255.255.0.0 erx2(config-if)#tunnel peer-identity subnet 200.3.0.0 255.255.0.0 erx2(config-if)#tunnel source 100.2.0.1 erx2(config-if)#tunnel destination 100.3.0.1 erx2(config-if)#ip address 200.3.0.0 255.255.0.0 erx2(config-if)#exit
  5. Finally, on erx3 create two IPsec tunnels, one to carry customer A's traffic between Boston and Ottawa and another to carry the traffic between Boston and Boca:

    Tunnel 1:

    erx3(config)#interface tunnel ipsec:Aboston2ottawa erx3(config-if)#tunnel transform-set customerAprotectionerx3(config-if)#tunnel local-identity subnet 200.3.0.0 255.255.0.0 erx3(config-if)#tunnel peer-identity subnet 200.1.0.0 255.255.0.0 erx3(config-if)#tunnel source 100.3.0.1 erx3(config-if)#tunnel destination 100.1.0.1 erx3(config-if)#ip address 200.1.0.0 255.255.0.0 erx3(config-if)#exit

    Tunnel 2:

    erx3(config)#interface tunnel ipsec:Aboston2boca erx3(config-if)#tunnel transform-set customerAprotection erx3(config-if)#tunnel local-identity subnet 200.3.0.0 255.255.0.0 erx3(config-if)#tunnel peer-identity subnet 200.2.0.0 255.255.0.0 erx3(config-if)#tunnel source 100.3.0.1 erx3(config-if)#tunnel destination 100.2.0.1 erx3(config-if)#ip address 200.2.0.0 255.255.0.0 erx3(config-if)#exit

The configuration is complete. Now customer A traffic between different cities flows through the public, or untrusted, IP network inside a tunnel, where each packet is encrypted and authenticated. Of course, this example shows the basic secure encapsulation of customer traffic over the untrusted IP network. You can add features such as key refreshing.

Example 2

Example 2, shown in Figure 17, enhances the previous example by having the same ISP-X providing leased line replacement to two customers who use address schemes in the same range. There are two ways to solve scenarios in which different customers use similar IP address schemes:

To configure the connections as shown in Figure 17:

  1. On each ERX router, create a protection suite that provides customer A with 3DES encryption and SHA-1 authentication, and customer B with AH authentication using MD5.
    erx1(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha erx1(config)#ipsec transform-set customerBprotection ah-hmac-md5 erx2(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha erx2(config)#ipsec transform-set customerBprotection ah-hmac-md5 erx3(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha erx3(config)#ipsec transform-set customerBprotection ah-hmac-md5
  2. On each ERX router, create a protection suite for the three routers to use to authenticate each other:
    erx1(config)#ipsec key manual pre-share 5.2.0.1 erx1(config-manual-key)#key customerASecret erx1(config-manual-key)#exit erx1(config)#ipsec key manual pre-share 5.3.0.1 erx1(config-manual-key)#key customerASecret erx1(config-manual-key)#exit erx1(config)#ipsec key manual pre-share 5.2.0.2 erx1(config-manual-key)#key customerBSecret erx1(config-manual-key)#exit erx1(config)#ipsec key manual pre-share 5.3.0.2 erx1(config-manual-key)#key customerBSecret erx1(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.1.0.1 erx2(config-manual-key)#key customerASecret erx2(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.3.0.1 erx2(config-manual-key)#key customerASecret erx2(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.1.0.2 erx2(config-manual-key)#key customerBSecret erx2(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.3.0.2 erx2(config-manual-key)#key customerBSecret erx2(config-manual-key)#exit erx3(config)#ipsec key manual pre-share 5.1.0.1 erx3(config-manual-key)#key customerASecret erx3(config-manual-key)#exit erx3(config)#ipsec key manual pre-share 5.2.0.1 erx3(config-manual-key)#key customerASecret erx3(config-manual-key)#exit erx3(config)#ipsec key manual pre-share 5.1.0.2 erx3(config-manual-key)#key customerBSecret erx3(config-manual-key)#exit erx3(config)#ipsec key manual pre-share 5.2.0.2 erx3(config-manual-key)#key customerBSecret erx3(config-manual-key)#exit
  3. On erx1, create two IPsec tunnels, one to carry customer A's traffic and another to carry customer B's traffic. You must create each pair of tunnels in the virtual routers where the IP interfaces reaching those customers are defined. Create the endpoints for the tunnels in the ISP default virtual router.

    Virtual router A:

    erx1(config)#virtual-router vrA erx1:vrA(config)#

    Tunnel from Ottawa to Boston on virtual router A:

    erx1:vrA(config)#interface tunnel ipsec:Aottawa2boston transport-virtual-router default erx1:vrA(config-if)#tunnel transform-set customerAprotection erx1:vrA(config-if)#tunnel local-identity subnet 10.1.0.0 255.255.0.0 erx1:vrA(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0 erx1:vrA(config-if)#tunnel source 5.1.0.1 erx1:vrA(config-if)#tunnel destination 5.3.0.1 erx1:vrA(config-if)#ip address 10.3.0.0 255.255.0.0 erx1:vrA(config-if)#exit

    Tunnel from Ottawa to Boca on virtual router A:

    erx1:vrA(config)#interface tunnel ipsec:Aottawa2boca transport-virtual-router default erx1:vrA(config-if)#tunnel transform-set customerAprotection erx1:vrA(config-if)#tunnel local-identity subnet 10.1.0.0 255.255.0.0 erx1:vrA(config-if)#tunnel peer-identity subnet 10.2.0.0 255.255.0.0 erx1:vrA(config-if)#tunnel source 5.1.0.1 erx1:vrA(config-if)#tunnel destination 5.2.0.1 erx1:vrA(config-if)#ip address 10.2.0.0 255.255.0.0 erx1:vrA(config-if)#exit

    Virtual router B:

    erx1(config)#virtual-router vrB erx1:vrB(config)#

    Tunnel from Ottawa to Boston on virtual router B:

    erx1:vrB(config)#interface tunnel ipsec:Bottawa2boston transport-virtual-router default erx1:vrB(config-if)#tunnel transform-set customerBprotection erx1:vrB(config-if)#tunnel local-identity subnet 10.1.0.0 255.255.0.0 erx1:vrB(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0 erx1:vrB(config-if)#tunnel source 5.1.0.2 erx1:vrB(config-if)#tunnel destination 5.3.0.2 erx1:vrB(config-if)#ip address 10.3.0.0 255.255.0.0 erx1:vrB(config-if)#exit

    Tunnel from Ottawa to Boca on virtual router B:

    erx1:vrB(config)#interface tunnel ipsec:Bottawa2boca transport-virtual-router default erx1:vrB(config-if)#tunnel transform-set customerBprotection erx1:vrB(config-if)#tunnel local-identity subnet 10.1.0.0 255.255.0.0 erx1:vrB(config-if)#tunnel peer-identity subnet 10.2.0.0 255.255.0.0 erx1:vrB(config-if)#tunnel source 5.1.0.2 erx1:vrB(config-if)#tunnel destination 5.2.0.2 erx1:vrB(config-if)#ip address 10.2.0.0 255.255.0.0 erx1:vrB(config-if)#exit
  4. On erx2, create two IPsec tunnels, one to carry customer A's traffic and another to carry customer B's traffic. You must create each pair of tunnels in the virtual routers where the IP interfaces reaching those customers are defined. Create the endpoints for the tunnels in the ISP default virtual router.

    Virtual router A:

    erx2(config)#virtual-router vrA erx2:vrA(config)#

    Tunnel from Boca to Ottawa on virtual router A:

    erx2:vrA(config)#interface tunnel ipsec:Aboca2ottawa transport-virtual-router default erx2:vrA(config-if)#tunnel transform-set customerAprotection erx2:vrA(config-if)#tunnel local-identity subnet 10.2.0.0 255.255.0.0 erx2:vrA(config-if)#tunnel peer-identity subnet 10.1.0.0 255.255.0.0 erx2:vrA(config-if)#tunnel source 5.2.0.1 erx2:vrA(config-if)#tunnel destination 5.1.0.1 erx2:vrA(config-if)#ip address 10.1.0.0 255.255.0.0 erx2:vrA(config-if)#exit

    Tunnel from Boca to Boston on virtual router A:

    erx2:vrA(config)#interface tunnel ipsec:Aboca2boston transport-virtual-router default erx2:vrA(config-if)#tunnel transform-set customerAprotection erx2:vrA(config-if)#tunnel local-identity subnet 10.2.0.0 255.255.0.0 erx2:vrA(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0 erx2:vrA(config-if)#tunnel source 5.2.0.1 erx2:vrA(config-if)#tunnel destination 5.3.0.1 erx2:vrA(config-if)#ip address 10.3.0.0 255.255.0.0 erx2:vrA(config-if)#exit

    Virtual router B:

    erx2(config)#virtual-router vrB erx2:vrB(config)#

    Tunnel from Boca to Ottawa on virtual router B:

    erx2:vrB(config)#interface tunnel ipsec:Bboca2ottawa transport-virtual-router default erx2:vrB(config-if)#tunnel transform-set customerBprotection erx2:vrB(config-if)#tunnel local-identity subnet 10.2.0.0 255.255.0.0 erx2:vrB(config-if)#tunnel peer-identity subnet 10.1.0.0 255.255.0.0 erx2:vrB(config-if)#tunnel source 5.2.0.2 erx2:vrB(config-if)#tunnel destination 5.1.0.2 erx2:vrB(config-if)#ip address 10.1.0.0 255.255.0.0 erx2:vrB(config-if)#exit

    Tunnel from Boca to Boston on virtual router B:

    erx2:vrB(config)#interface tunnel ipsec:Bboca2boston transport-virtual-router default erx2:vrB(config-if)#tunnel transform-set customerBprotection erx2:vrB(config-if)#tunnel local-identity subnet 10.2.0.0 255.255.0.0 erx2:vrB(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0 erx2:vrB(config-if)#tunnel source 5.2.0.2 erx2:vrB(config-if)#tunnel destination 5.3.0.2 erx2:vrB(config-if)#ip address 10.3.0.0 255.255.0.0 erx2:vrB(config-if)#exit
  5. Last, on erx3, create two IPsec tunnels, one to carry customer A's traffic and another to carry customer B's traffic.

    Virtual router A:

    erx3(config)#virtual-router vrA erx3:vrA(config)#

    Tunnel from Boston to Ottawa on virtual router A:

    erx3:vrA(config)#interface tunnel ipsec:Aboston2ottawa transport-virtual-router default erx3:vrA(config-if)#tunnel transform-set customerAprotection erx3:vrA(config-if)#tunnel local-identity subnet 10.3.0.0 255.255.0.0 erx3:vrA(config-if)#tunnel peer-identity subnet 10.1.0.0 255.255.0.0 erx3:vrA(config-if)#tunnel source 5.3.0.1 erx3:vrA(config-if)#tunnel destination 5.1.0.1 erx3:vrA(config-if)#ip address 10.1.0.0 255.255.0.0 erx3:vrA(config-if)#exit

    Tunnel from Boston to Boca on virtual router A:

    erx3:vrA(config)#interface tunnel ipsec:Aboston2boca transport-virtual-router default erx3:vrA(config-if)#tunnel transform-set customerAprotection erx3:vrA(config-if)#tunnel local-identity subnet 10.3.0.0 255.255.0.0 erx3:vrA(config-if)#tunnel peer-identity subnet 10.2.0.0 255.255.0.0 erx3:vrA(config-if)#tunnel source 5.3.0.1 erx3:vrA(config-if)#tunnel destination 5.2.0.1 erx3:vrA(config-if)#ip address 10.1.0.0 255.255.0.0 erx3:vrA(config-if)#exit

    Virtual router B:

    erx3(config)#virtual-router vrB erx3:vrB(config)#

    Tunnel from Boston to Ottawa on virtual router B:

    erx3:vrB(config)#interface tunnel ipsec:Bboston2ottawa transport-virtual-router default erx3:vrB(config-if)#tunnel transform-set customerBprotection erx3:vrB(config-if)#tunnel local-identity subnet 10.3.0.0 255.255.0.0 erx3:vrB(config-if)#tunnel peer-identity subnet 10.1.0.0 255.255.0.0 erx3:vrB(config-if)#tunnel source 5.3.0.1 erx3:vrB(config-if)#tunnel destination 5.1.0.1 erx3:vrB(config-if)#ip address 10.1.0.0 255.255.0.0 erx3:vrB(config-if)#exit

    Tunnel from Boston to Boca on virtual router B:

    erx3:vrB(config)#interface tunnel ipsec:Bboston2boca transport-virtual-router default erx3:vrB(config-if)#tunnel transform-set customerBprotection erx3:vrB(config-if)#tunnel local-identity subnet 10.3.0.0 255.255.0.0 erx3:vrB(config-if)#tunnel peer-identity subnet 10.2.0.0 255.255.0.0 erx3:vrB(config-if)#tunnel source 5.3.0.1 erx3:vrB(config-if)#tunnel destination 5.2.0.1 erx3:vrB(config-if)#ip address 10.2.0.0 255.255.0.0 erx3:vrB(config-if)#exit

The configuration is complete. Customer A's traffic and customer B's traffic can flow through the public, or untrusted, IP network inside a tunnel, where each packet is encrypted and authenticated.