[Contents] [Prev] [Next] [Index] [Report an Error]

Configuration Notes

Both the local and remote identities shown in these examples serve two purposes:

They identify multiple IPSec tunnels between the same endpoints.
They filter traffic going into and coming out of the tunnels so that it is within the specified range. If the configuration requires that only one IPSec tunnel exists between two endpoints and no traffic filtering is required, you can omit the tunnel local-identity and tunnel peer-identity commands.
Example 1

In Figure 15 customer A is using Frame Relay to connect its corporate offices in three cities: Boston, Ottawa, and Boca.

Figure 15: Customer A's Corporate Frame Relay Network

Image g013054.gif

Customer A hires ISP-X to provide a leased line replacement over an IP infrastructure using IPSec. ISP-X can offer a replacement for long-haul Frame Relay links by creating IPSec tunnels to carry customer A's traffic securely between the sites over the public or ISP-provided IP network. This alternative costs only a fraction of the price of the Frame Relay links. Figure 16 shows the connectivity scheme.

Figure 16: ISP-X Uses ERX Routers to Connect Corporate Offices over the Internet

Image g013053.gif

To configure the connections as shown in Figure 16:

On each ERX router, create a protection suite that provides 3DES encryption with SHA-1 authentication on every packet.erx1(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha erx2(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha erx3(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha
On each ERX router, create preshared keys for the three routers to use to authenticate each other:erx1(config)#ipsec key manual pre-share 100.2.0.1 erx1(config-manual-key)#key customerASecret erx1(config-manual-key)#exit erx1(config)#ipsec key manual pre-share 100.3.0.1 erx1(config-manual-key)#key customerASecret erx1(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 100.1.0.1 erx2(config-manual-key)#key customerASecret erx2(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 100.3.0.1 erx2(config-manual-key)#key customerASecret erx2(config-manual-key)#exit erx3(config)#ipsec key manual pre-share 100.1.0.1 erx3(config-manual-key)#exit erx3(config-manual-key)#key customerASecret erx3(config)#ipsec key manual pre-share 100.2.0.1 erx3(config-manual-key)#key customerASecret erx3(config-manual-key)#exit
On erx1 create two IPSec tunnels, one to carry customer A's traffic between Ottawa and Boston and another to carry the traffic between Ottawa and Boca:
Tunnel 1:
erx1(config)#interface tunnel ipsec:Aottawa2boston erx1(config-if)#tunnel transform-set customerAprotection erx1(config-if)#tunnel local-identity subnet 200.1.0.0 255.255.0.0 erx1(config-if)#tunnel peer-identity subnet 200.3.0.0 255.255.0.0 erx1(config-if)#tunnel source 100.1.0.1 erx1(config-if)#tunnel destination 100.3.0.1 erx1(config-if)#ip address 200.3.0.0 255.255.0.0 erx1(config-if)#exit
Tunnel 2:
erx1(config)#interface tunnel ipsec:Aottawa2boca erx1(config-if)#tunnel transform-set customerAprotection erx1(config-if)#tunnel local-identity subnet 200.1.0.0 255.255.0.0 erx1(config-if)#tunnel peer-identity subnet 200.2.0.0 255.255.0.0 erx1(config-if)#tunnel source 100.1.0.1 erx1(config-if)#tunnel destination 100.2.0.1 erx1(config-if)#ip address 200.2.0.0 255.255.0.0 erx1(config-if)#exit
On erx2 create two IPSec tunnels, one to carry customer A's traffic between Boca and Ottawa and another to carry the traffic between Boca and Boston:
Tunnel 1:
erx2(config)#interface tunnel ipsec:Aboca2ottawa erx2(config-if)#tunnel transform-set customerAprotection erx2(config-if)#tunnel local-identity subnet 200.2.0.0 255.255.0.0 erx2(config-if)#tunnel peer-identity subnet 200.1.0.0 255.255.0.0 erx2(config-if)#tunnel source 100.2.0.1 erx2(config-if)#tunnel destination 100.1.0.1 erx2(config-if)#ip address 200.1.0.0 255.255.0.0 erx2(config-if)#exit
Tunnel 2:
erx2(config)#interface tunnel ipsec:Aboca2boston erx2(config-if)#tunnel transform-set customerAprotection erx2(config-if)#tunnel local-identity subnet 200.2.0.0 255.255.0.0 erx2(config-if)#tunnel peer-identity subnet 200.3.0.0 255.255.0.0 erx2(config-if)#tunnel source 100.2.0.1 erx2(config-if)#tunnel destination 100.3.0.1 erx2(config-if)#ip address 200.3.0.0 255.255.0.0 erx2(config-if)#exit
Finally, on erx3 create two IPSec tunnels, one to carry customer A's traffic between Boston and Ottawa and another to carry the traffic between Boston and Boca:
Tunnel 1:
erx3(config)#interface tunnel ipsec:Aboston2ottawa erx3(config-if)#tunnel transform-set customerAprotection erx3(config-if)#tunnel local-identity subnet 200.3.0.0 255.255.0.0 erx3(config-if)#tunnel peer-identity subnet 200.1.0.0 255.255.0.0 erx3(config-if)#tunnel source 100.3.0.1 erx3(config-if)#tunnel destination 100.1.0.1 erx3(config-if)#ip address 200.1.0.0 255.255.0.0 erx3(config-if)#exit
Tunnel 2:
erx3(config)#interface tunnel ipsec:Aboston2boca erx3(config-if)#tunnel transform-set customerAprotection erx3(config-if)#tunnel local-identity subnet 200.3.0.0 255.255.0.0 erx3(config-if)#tunnel peer-identity subnet 200.2.0.0 255.255.0.0 erx3(config-if)#tunnel source 100.3.0.1 erx3(config-if)#tunnel destination 100.2.0.1 erx3(config-if)#ip address 200.2.0.0 255.255.0.0 erx3(config-if)#exit

The configuration is complete. Now customer A traffic between different cities flows through the public, or untrusted, IP network inside a tunnel, where each packet is encrypted and authenticated. Of course, this example shows the basic secure encapsulation of customer traffic over the untrusted IP network. You can add features such as key refreshing.

Example 2

Example 2, shown in Figure 17, enhances the previous example by having the same ISP-X providing leased line replacement to two customers who use address schemes in the same range. There are two ways to solve scenarios in which different customers use similar IP address schemes:

One solution is to have different transport virtual routers—a configuration similar to example 1, except that a different VR domain is possible.
Another solution, as described in this example, simply duplicates the endpoints for the transport VR. This example assumes that the transport VR is the default VR.
Figure 17: Connecting Customers Who Use Similar Address Schemes

To configure the connections as shown in Figure 17:

On each ERX router, create a protection suite that provides customer A with 3DES encryption and SHA-1 authentication, and customer B with AH authentication using MD5.erx1(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha erx1(config)#ipsec transform-set customerBprotection ah-hmac-md5 erx2(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha erx2(config)#ipsec transform-set customerBprotection ah-hmac-md5 erx3(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha erx3(config)#ipsec transform-set customerBprotection ah-hmac-md5
On each ERX router, create a protection suite for the three routers to use to authenticate each other:erx1(config)#ipsec key manual pre-share 5.2.0.1 erx1(config-manual-key)#key customerASecret erx1(config-manual-key)#exit erx1(config)#ipsec key manual pre-share 5.3.0.1 erx1(config-manual-key)#key customerASecret erx1(config-manual-key)#exit erx1(config)#ipsec key manual pre-share 5.2.0.2 erx1(config-manual-key)#key customerBSecret erx1(config-manual-key)#exit erx1(config)#ipsec key manual pre-share 5.3.0.2 erx1(config-manual-key)#key customerBSecret erx1(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.1.0.1 erx2(config-manual-key)#key customerASecret erx2(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.3.0.1 erx2(config-manual-key)#key customerASecret erx2(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.1.0.2 erx2(config-manual-key)#key customerBSecret erx2(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.3.0.2 erx2(config-manual-key)#key customerBSecret erx2(config-manual-key)#exit erx3(config)#ipsec key manual pre-share 5.1.0.1 erx3(config-manual-key)#key customerASecret erx3(config-manual-key)#exit erx3(config)#ipsec key manual pre-share 5.2.0.1 erx3(config-manual-key)#key customerASecret erx3(config-manual-key)#exit erx3(config)#ipsec key manual pre-share 5.1.0.2 erx3(config-manual-key)#key customerBSecret erx3(config-manual-key)#exit erx3(config)#ipsec key manual pre-share 5.2.0.2 erx3(config-manual-key)#key customerBSecret erx3(config-manual-key)#exit
On erx1, create two IPSec tunnels, one to carry customer A's traffic and another to carry customer B's traffic. You must create each pair of tunnels in the virtual routers where the IP interfaces reaching those customers are defined. Create the endpoints for the tunnels in the ISP default virtual router.
Virtual router A:
erx1(config)#virtual-router vrA erx1:vrA(config)#
Tunnel from Ottawa to Boston on virtual router A:
erx1:vrA(config)#interface tunnel ipsec:Aottawa2boston transport-virtual-router default erx1:vrA(config-if)#tunnel transform-set customerAprotection erx1:vrA(config-if)#tunnel local-identity subnet 10.1.0.0 255.255.0.0 erx1:vrA(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0 erx1:vrA(config-if)#tunnel source 5.1.0.1 erx1:vrA(config-if)#tunnel destination 5.3.0.1 erx1:vrA(config-if)#ip address 10.3.0.0 255.255.0.0 erx1:vrA(config-if)#exit
Tunnel from Ottawa to Boca on virtual router A:
erx1:vrA(config)#interface tunnel ipsec:Aottawa2boca transport-virtual-router default erx1:vrA(config-if)#tunnel transform-set customerAprotection erx1:vrA(config-if)#tunnel local-identity subnet 10.1.0.0 255.255.0.0 erx1:vrA(config-if)#tunnel peer-identity subnet 10.2.0.0 255.255.0.0 erx1:vrA(config-if)#tunnel source 5.1.0.1 erx1:vrA(config-if)#tunnel destination 5.2.0.1 erx1:vrA(config-if)#ip address 10.2.0.0 255.255.0.0 erx1:vrA(config-if)#exit
Virtual router B:
erx1(config)#virtual-router vrB erx1:vrB(config)#
Tunnel from Ottawa to Boston on virtual router B:
erx1:vrB(config)#interface tunnel ipsec:Bottawa2boston transport-virtual-router default erx1:vrB(config-if)#tunnel transform-set customerBprotection erx1:vrB(config-if)#tunnel local-identity subnet 10.1.0.0 255.255.0.0 erx1:vrB(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0 erx1:vrB(config-if)#tunnel source 5.1.0.2 erx1:vrB(config-if)#tunnel destination 5.3.0.2 erx1:vrB(config-if)#ip address 10.3.0.0 255.255.0.0 erx1:vrB(config-if)#exit
Tunnel from Ottawa to Boca on virtual router B:
erx1:vrB(config)#interface tunnel ipsec:Bottawa2boca transport-virtual-router default erx1:vrB(config-if)#tunnel transform-set customerBprotection erx1:vrB(config-if)#tunnel local-identity subnet 10.1.0.0 255.255.0.0 erx1:vrB(config-if)#tunnel peer-identity subnet 10.2.0.0 255.255.0.0 erx1:vrB(config-if)#tunnel source 5.1.0.2 erx1:vrB(config-if)#tunnel destination 5.2.0.2 erx1:vrB(config-if)#ip address 10.2.0.0 255.255.0.0 erx1:vrB(config-if)#exit
On erx2, create two IPSec tunnels, one to carry customer A's traffic and another to carry customer B's traffic. You must create each pair of tunnels in the virtual routers where the IP interfaces reaching those customers are defined. Create the endpoints for the tunnels in the ISP default virtual router.
Virtual router A:
erx2(config)#virtual-router vrA erx2:vrA(config)#
Tunnel from Boca to Ottawa on virtual router A:
erx2:vrA(config)#interface tunnel ipsec:Aboca2ottawa transport-virtual-router default erx2:vrA(config-if)#tunnel transform-set customerAprotection erx2:vrA(config-if)#tunnel local-identity subnet 10.2.0.0 255.255.0.0 erx2:vrA(config-if)#tunnel peer-identity subnet 10.1.0.0 255.255.0.0 erx2:vrA(config-if)#tunnel source 5.2.0.1 erx2:vrA(config-if)#tunnel destination 5.1.0.1 erx2:vrA(config-if)#ip address 10.1.0.0 255.255.0.0 erx2:vrA(config-if)#exit
Tunnel from Boca to Boston on virtual router A:
erx2:vrA(config)#interface tunnel ipsec:Aboca2boston transport-virtual-router default erx2:vrA(config-if)#tunnel transform-set customerAprotection erx2:vrA(config-if)#tunnel local-identity subnet 10.2.0.0 255.255.0.0 erx2:vrA(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0 erx2:vrA(config-if)#tunnel source 5.2.0.1 erx2:vrA(config-if)#tunnel destination 5.3.0.1 erx2:vrA(config-if)#ip address 10.3.0.0 255.255.0.0 erx2:vrA(config-if)#exit
Virtual router B:
erx2(config)#virtual-router vrB erx2:vrB(config)#
Tunnel from Boca to Ottawa on virtual router B:
erx2:vrB(config)#interface tunnel ipsec:Bboca2ottawa transport-virtual-router default erx2:vrB(config-if)#tunnel transform-set customerBprotection erx2:vrB(config-if)#tunnel local-identity subnet 10.2.0.0 255.255.0.0 erx2:vrB(config-if)#tunnel peer-identity subnet 10.1.0.0 255.255.0.0 erx2:vrB(config-if)#tunnel source 5.2.0.2 erx2:vrB(config-if)#tunnel destination 5.1.0.2 erx2:vrB(config-if)#ip address 10.1.0.0 255.255.0.0 erx2:vrB(config-if)#exit
Tunnel from Boca to Boston on virtual router B:
erx2:vrB(config)#interface tunnel ipsec:Bboca2boston transport-virtual-router default erx2:vrB(config-if)#tunnel transform-set customerBprotection erx2:vrB(config-if)#tunnel local-identity subnet 10.2.0.0 255.255.0.0 erx2:vrB(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0 erx2:vrB(config-if)#tunnel source 5.2.0.2 erx2:vrB(config-if)#tunnel destination 5.3.0.2 erx2:vrB(config-if)#ip address 10.3.0.0 255.255.0.0 erx2:vrB(config-if)#exit
Last, on erx3, create two IPSec tunnels, one to carry customer A's traffic and another to carry customer B's traffic.
Virtual router A:
erx3(config)#virtual-router vrA erx3:vrA(config)#
Tunnel from Boston to Ottawa on virtual router A:
erx3:vrA(config)#interface tunnel ipsec:Aboston2ottawa transport-virtual-router default erx3:vrA(config-if)#tunnel transform-set customerAprotection erx3:vrA(config-if)#tunnel local-identity subnet 10.3.0.0 255.255.0.0 erx3:vrA(config-if)#tunnel peer-identity subnet 10.1.0.0 255.255.0.0 erx3:vrA(config-if)#tunnel source 5.3.0.1 erx3:vrA(config-if)#tunnel destination 5.1.0.1 erx3:vrA(config-if)#ip address 10.1.0.0 255.255.0.0 erx3:vrA(config-if)#exit
Tunnel from Boston to Boca on virtual router A:
erx3:vrA(config)#interface tunnel ipsec:Aboston2boca transport-virtual-router default erx3:vrA(config-if)#tunnel transform-set customerAprotection erx3:vrA(config-if)#tunnel local-identity subnet 10.3.0.0 255.255.0.0 erx3:vrA(config-if)#tunnel peer-identity subnet 10.2.0.0 255.255.0.0 erx3:vrA(config-if)#tunnel source 5.3.0.1 erx3:vrA(config-if)#tunnel destination 5.2.0.1 erx3:vrA(config-if)#ip address 10.1.0.0 255.255.0.0 erx3:vrA(config-if)#exit
Virtual router B:
erx3(config)#virtual-router vrB erx3:vrB(config)#
Tunnel from Boston to Ottawa on virtual router B:
erx3:vrB(config)#interface tunnel ipsec:Bboston2ottawa transport-virtual-router default erx3:vrB(config-if)#tunnel transform-set customerBprotection erx3:vrB(config-if)#tunnel local-identity subnet 10.3.0.0 255.255.0.0 erx3:vrB(config-if)#tunnel peer-identity subnet 10.1.0.0 255.255.0.0 erx3:vrB(config-if)#tunnel source 5.3.0.1 erx3:vrB(config-if)#tunnel destination 5.1.0.1 erx3:vrB(config-if)#ip address 10.1.0.0 255.255.0.0 erx3:vrB(config-if)#exit
Tunnel from Boston to Boca on virtual router B:
erx3:vrB(config)#interface tunnel ipsec:Bboston2boca transport-virtual-router default erx3:vrB(config-if)#tunnel transform-set customerBprotection erx3:vrB(config-if)#tunnel local-identity subnet 10.3.0.0 255.255.0.0 erx3:vrB(config-if)#tunnel peer-identity subnet 10.2.0.0 255.255.0.0 erx3:vrB(config-if)#tunnel source 5.3.0.1 erx3:vrB(config-if)#tunnel destination 5.2.0.1 erx3:vrB(config-if)#ip address 10.2.0.0 255.255.0.0 erx3:vrB(config-if)#exit

The configuration is complete. Customer A's traffic and customer B's traffic can flow through the public, or untrusted, IP network inside a tunnel, where each packet is encrypted and authenticated.

[Contents] [Prev] [Next] [Index] [Report an Error]