[Contents] [Prev] [Next] [Index] [Report an Error]

Creating an IPSec Tunnel

To create an IPSec tunnel:

Enter virtual router mode. Specify the VR that contains the source and destination addresses assigned to the tunnel interface. host1(config)#virtual-router vrA host1:vrA(config)#
Create an IPSec tunnel, and specify the transport VR.host1:vrA(config)#interface tunnel ipsec:Aottawa2boston transport-virtual-router default host1:vrA(config-if)#
Specify the IP address of this tunnel interface.host1:vrA(config-if)#ip address 10.3.0.0 255.255.0.0
Specify the transform set that ISAKMP uses for SA negotiations.host1:vrA(config-if)#tunnel transform-set customerAprotection
Configure the local endpoint of the tunnel.host1:vrA(config-if)#tunnel local-identity subnet 10.1.0.0 255.255.0.0
Configure the peer endpoint of the tunnel.host1:vrA(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0
Specify an existing interface address that the tunnel uses as its source address.host1:vrA(config-if)#tunnel source 5.1.0.1
Specify the address or identity of the tunnel destination endpoint. host1:vrA(config-if)#tunnel destination identity branch245.customer77.isp.net host1:vrA(config-if)#exit

Note: FQDNs are used when tunnel destination endpoints do not have a fixed address, as in cable and DSL environments.
For manual tunnels, specify the algorithm sets and the session key used for inbound SAs and for outbound SAs.host1:vrA(config-if)#tunnel session-key-inbound esp-des-hmac-md5 a7bd567917bd5679 bd5678a7bd567917bd567917bd567678 host1:vrA(config-if)#tunnel session-key-outbound esp-3des-hmac-md5 421 567917bd567917bd567917bd545a17bd567917bd56784a7b fda183bef567917bd567917bd567917b
(Optional) Configure PFS on this tunnel.host1:vrA(config-if)#tunnel pfs group 5
(Optional) Set the tunnel type to signaled or manual. The default is signaled.host1:vrA(config-if)#tunnel signaling isakmp
(Optional) Set the renegotiation time of the SAs in use by this tunnel.host1(config-if)#tunnel lifetime seconds 48000 kilobytes 249000
(Optional) Set the MTU size for the tunnel.host1(config-if)#tunnel mtu 2240

interface tunnel

Use to create or configure an IPSec tunnel interface.
Use the transport-virtual-router keyword to establish the tunnel on a virtual router other than the current virtual router context.
Examplehost1(config)#interface tunnel ipsec:jak transport-virtual-router tvr041 host1(config-if)#
Use the no version to remove the tunnel.
See interface tunnel.

tunnel destination

Use to set the address or identity of the remote tunnel endpoint.
- For signaled IPSec tunnels in cable or DSL environments, use the FQDN to identify the remote tunnel endpoint, which does not have a fixed IP address.
- The identity string can include an optional user@ specification preceding the FQDN.
Example 1host1(config-if)#tunnel destination 10.10.11.12
Example 2host1(config-if)#tunnel destination identity branch245.customer77.isp.net
Example 3host1(config-if)#tunnel destination identity user4919@branch245.customer77.isp.net
Use the no version to remove the address.
See tunnel destination.

tunnel lifetime

Use to set the renegotiation time of the SAs in use by this tunnel.
To configure the lifetime in number of seconds, use the seconds keyword to specify the lifetime in the range 1800–864000.The default value is 28800 seconds.
To configure the lifetime in amount of traffic, use the kilobytes keyword to specify the lifetime in the range 102400–4294967295. The default is an unlimited volume.
If you include the seconds keyword as the first keyword on the command line, you can also include the kilobytes keyword on the same line.
Before either the volume of traffic or number of seconds limit is reached, the SA is renegotiated, which ensures that the tunnel does not go down during renegotiation.
Examplehost1(config-if)#tunnel lifetime seconds 48000 kilobytes 249000
Use the no version to restore the default lifetime (28800 seconds) and an unlimited volume.
See tunnel lifetime.

tunnel local-identity

Use to configure the local identity (selector) of the tunnel. Specify the identity using one of the following keywords:
- address—Specifies an IP address as the local identity
- subnet—Specifies a subnet as the local identity
- range—Specifies a range of IP addresses as the local identity
Example 1host1(config-if)#tunnel local-identity range 10.10.1.1 10.10.2.1
Example 2host1(config-if)#tunnel local-identity subnet 10.10.1.1 255.255.255.0
Use the no version to restore the default identity, which is subnet 0.0.0.0
0.0.0.0
See tunnel local-identity.

tunnel mtu

Use to set the MTU size for the tunnel.
Examplehost1(config-if)#tunnel mtu 2240
Use the no version to restore the default MTU (1440).
See tunnel mtu.

tunnel peer-identity

Use to configure the peer identity (selector) that ISAKMP uses. Specify the identity using one of the following keywords:
- address—Specifies an IP address as the peer identity
- subnet—Specifies a subnet as the peer identity
- range—Specifies a range of IP addresses as the peer identity
Example 1host1(config-if)#tunnel peer-identity range 10.10.1.1 10.10.2.2
Example 2host1(config-if)#tunnel peer-identity subnet 130.10.1.1 255.255.255.0
Use the no version to remove the peer identity.
See tunnel peer-identity.

tunnel pfs group

Use to configure perfect forward secrecy (PFS) on this tunnel.
Assign a Diffie-Hellman prime modulus group using one of the following keywords:
- 1—768-bit group
- 2—1024-bit group
- 5—1536-bit group
Example host1(config-if)#tunnel pfs group 5
Use the no version to remove PFS from this tunnel.
See tunnel pfs group.

tunnel session-key-inbound

Use to manually configure the authentication or encryption algorithm sets and session keys for inbound SAs on a tunnel. You can enter this command only on tunnels that have tunnel signaling set to manual.
Use the online Help to see a list of available algorithm sets.
Each key is an arbitrary hexadecimal string. If the algorithm set includes:
- DES, create an 8-byte key using 16 hexadecimal characters
- 3DES, create a 24-byte key using 48 hexadecimal characters
- MD5, create a 16-byte key using 32 hexadecimal characters
- SHA, create a 20-byte key using 40 hexadecimal characters
Examplehost1(config-if)#tunnel session-key-inbound esp-des-hmac-md5 a7bd567917bd5679 bd5678a7bd567917bd567917bd567678
Use the no version to remove inbound session keys from a tunnel.
See tunnel session-key-inbound.

tunnel session-key-outbound

Use to manually configure the authentication or encryption algorithm sets, SPI, and session keys for outbound SAs on a tunnel. You can enter this command only on tunnels that have tunnel signaling set to manual.
Use the online Help to see a list of available algorithm sets.
The SPI is a number in the range 256–4294967295 that identifies an SA.
Each key is an arbitrary hexadecimal string. If the algorithm set includes:
- DES, create an 8-byte key using 16 hexadecimal characters
- 3DES, create a 24-byte key using 48 hexadecimal characters
- MD5, create a 16-byte key using 32 hexadecimal characters
- SHA, create a 20-byte key using 40 hexadecimal characters
Examplehost1(config-if)#tunnel session-key-outbound esp-3des-hmac-md5 421 567917bd567917bd567917bd545a17bd567917bd56784a7b fda183bef567917bd567917bd567917b
Use the no version to remove outbound session keys from a tunnel.
See tunnel session-key-outbound.

tunnel signaling

Use to set the tunnel type to signaled (ISAKMP) or manual. Specify a keyword:
- isakmp—Specifies to use ISAKMP/IKE to negotiate SAs and to establish keys
- manual—Specifies that security parameters and keys are configured manually
Examplehost1(config-if)#tunnel signaling manual
Use the no version to restore the default value, isakmp.
See tunnel signaling.

tunnel source

Use to specify an existing interface address that serves as the tunnel's source address.
For signaled IPSec tunnels in cable or DSL environments, you can optionally use an FQDN to identify the tunnel endpoint.
Examplehost1(config-if)#tunnel source 10.10.2.8
Use the no version to remove the tunnel source.
See tunnel source.

tunnel transform-set

Use to specify the transform set that ISAKMP uses during SA negotiations on this tunnel. You create transform sets using the ipsec transform-set command.
Examplehost1(config-if)#tunnel transform-set espSet
Use the no version to remove the transform set from a tunnel.
See tunnel transform-set.

[Contents] [Prev] [Next] [Index] [Report an Error]