Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring an IPsec Transport Profile

    To configure an IPsec transport profile that is used to secure DVMRP, GRE, or L2TP tunnels:

    1. Create the profile. For more information about creating an IPsec transport profile, see Creating an IPsec Transport Profile.
      host1(config)#ipsec transport profile secureGre virtual-router default ip address 5.5.5.5 host1(config-ipsec-transport-profile)#
    2. Specify one or more types of application that the profile secures. For more information about configuring the types of application created with an IPsec transport profile, see Configuring the Type of Application Secured by Connections Created with an IPsec Transport Profile.
      host1(config-ipsec-transport-profile)#application gre dvmrp l2tp

    You can set any of the following parameters for the profile:

    • Set a lifetime range for the IPsec connection in volume of traffic or seconds. For more information about setting a lifetime range for an IPsec transport profile, see Setting a Lifetime Range for an IPsec Transport Profile.
      host1(config-ipsec-transport-profile)#lifetime seconds 3600 28800 kilobytes 102400 4294967295
    • Configure Perfect Forward Secrecy (PFS) for connections created with this IPsec transport profile. For more information about configuring the PFS for an IPsec transport profile, see Configuring Perfect Forward Secrecy for an IPsec Transport Profile.
      host1(config-ipsec-transport-profile)#pfs group 5
    • Specify one or more transform sets that an IPsec transport connection uses to negotiate a transform algorithm. For more information about configuring the transform set for an IPsec transport profile, see Configuring Transform Sets for an IPsec Transport Profile.
      host1(config-ipsec-transport-profile)#transform-set esp-3des-hmac-sha esp-3des-hmac-md5

      To display the available transform sets, issue the transform-set ? command.

    • Specify the local endpoint (for L2TP, the LNS address) of the IPsec transport connection and enter Local IPsec Transport Profile mode. For more information about configuring a local endpoint for an IPsec transport profile, see Configuring a Local Endpoint for an IPsec Transport Profile.
      host1(config-ipsec-transport-profile)#local ip address 10.10.1.1 host1(config-ipsec-transport-profile-local)#
    • (Optional) Configure a key for IKE negotiations. For example:

      Enter the unencrypted key. The router encrypts the key and stores it in encrypted form. You can no longer retrieve the unencrypted key. For more information about configuring an unencrypted preshared key for a local IPsec transport profile, see Configuring an Unencrypted Preshared Key for a Local IPsec Transport Profile.

      host1(config-ipsec-transport-profile-local)#pre-share secretforGre

    Published: 2014-08-12