Configuration Examples
This section contains examples of two IPSec applications. The first example shows a customer who replaces a leased line network with an IPSec network that allows the company to connect its corporate locations over the Internet. The second example provides leased line replacement to two customers who use address schemes in the same range.
Configuration Notes
Both the local and remote identities shown in these examples serve two purposes:
- They identify multiple IPSec tunnels between the same endpoints.
- They filter traffic going into and coming out of the tunnels so that it is within the specified range. If the configuration requires that only one IPSec tunnel exists between two endpoints and no traffic filtering is required, you can omit the tunnel local-identity and tunnel peer-identity commands.
Example 1
In Figure 15 customer A is using Frame Relay to connect its corporate offices in three cities: Boston, Ottawa, and Boca.
Customer A hires ISP-X to provide a leased line replacement over an IP infrastructure using IPSec. ISP-X can offer a replacement for long-haul Frame Relay links by creating IPSec tunnels to carry customer A's traffic securely between the sites over the public or ISP-provided IP network. This alternative costs only a fraction of the price of the Frame Relay links. Figure 16 shows the connectivity scheme.
To configure the connections as shown in Figure 16:
- On each ERX router, create a protection suite that provides 3DES encryption with SHA-1 authentication on every packet.
- On each ERX router, create preshared keys for the three routers to use to authenticate each other:
- On erx1 create two IPSec tunnels, one to carry customer A's traffic between Ottawa and Boston and another to carry the traffic between Ottawa and Boca:
erx1(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha
erx2(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha
erx3(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha
erx1(config)#ipsec key manual pre-share 100.2.0.1
erx1(config-manual-key)#key customerASecret
erx1(config-manual-key)#exit
erx1(config)#ipsec key manual pre-share 100.3.0.1
erx1(config-manual-key)#key customerASecret
erx1(config-manual-key)#exit
erx2(config)#ipsec key manual pre-share 100.1.0.1
erx2(config-manual-key)#key customerASecret
erx2(config-manual-key)#exit
erx2(config)#ipsec key manual pre-share 100.3.0.1
erx2(config-manual-key)#key customerASecret
erx2(config-manual-key)#exit
erx3(config)#ipsec key manual pre-share 100.1.0.1
erx3(config-manual-key)#exit
erx3(config-manual-key)#key customerASecret
erx3(config)#ipsec key manual pre-share 100.2.0.1
erx3(config-manual-key)#key customerASecret
erx3(config-manual-key)#exit
erx1(config)#interface tunnel ipsec:Aottawa2boston
erx1(config-if)#tunnel transform-set customerAprotection
erx1(config-if)#tunnel local-identity subnet 200.1.0.0 255.255.0.0
erx1(config-if)#tunnel peer-identity subnet 200.3.0.0 255.255.0.0
erx1(config-if)#tunnel source 100.1.0.1
erx1(config-if)#tunnel destination 100.3.0.1
erx1(config-if)#ip address 200.3.0.0 255.255.0.0
erx1(config-if)#exit
erx1(config)#interface tunnel ipsec:Aottawa2boca
erx1(config-if)#tunnel transform-set customerAprotection
erx1(config-if)#tunnel local-identity subnet 200.1.0.0 255.255.0.0
erx1(config-if)#tunnel peer-identity subnet 200.2.0.0 255.255.0.0
erx1(config-if)#tunnel source 100.1.0.1
erx1(config-if)#tunnel destination 100.2.0.1
erx1(config-if)#ip address 200.2.0.0 255.255.0.0
erx1(config-if)#exit
- On erx2 create two IPSec tunnels, one to carry customer A's traffic between Boca and Ottawa and another to carry the traffic between Boca and Boston:
erx2(config)#interface tunnel ipsec:Aboca2ottawa
erx2(config-if)#tunnel transform-set customerAprotection
erx2(config-if)#tunnel local-identity subnet 200.2.0.0 255.255.0.0
erx2(config-if)#tunnel peer-identity subnet 200.1.0.0 255.255.0.0
erx2(config-if)#tunnel source 100.2.0.1
erx2(config-if)#tunnel destination 100.1.0.1
erx2(config-if)#ip address 200.1.0.0 255.255.0.0
erx2(config-if)#exit
erx2(config)#interface tunnel ipsec:Aboca2boston
erx2(config-if)#tunnel transform-set customerAprotection
erx2(config-if)#tunnel local-identity subnet 200.2.0.0 255.255.0.0
erx2(config-if)#tunnel peer-identity subnet 200.3.0.0 255.255.0.0
erx2(config-if)#tunnel source 100.2.0.1
erx2(config-if)#tunnel destination 100.3.0.1
erx2(config-if)#ip address 200.3.0.0 255.255.0.0
erx2(config-if)#exit
- Finally, on erx3 create two IPSec tunnels, one to carry customer A's traffic between Boston and Ottawa and another to carry the traffic between Boston and Boca:
erx3(config)#interface tunnel ipsec:Aboston2ottawa
erx3(config-if)#tunnel transform-set customerAprotection erx3(config-if)#tunnel local-identity subnet 200.3.0.0 255.255.0.0
erx3(config-if)#tunnel peer-identity subnet 200.1.0.0 255.255.0.0
erx3(config-if)#tunnel source 100.3.0.1
erx3(config-if)#tunnel destination 100.1.0.1
erx3(config-if)#ip address 200.1.0.0 255.255.0.0
erx3(config-if)#exit
erx3(config)#interface tunnel ipsec:Aboston2boca
erx3(config-if)#tunnel transform-set customerAprotection
erx3(config-if)#tunnel local-identity subnet 200.3.0.0 255.255.0.0
erx3(config-if)#tunnel peer-identity subnet 200.2.0.0 255.255.0.0
erx3(config-if)#tunnel source 100.3.0.1
erx3(config-if)#tunnel destination 100.2.0.1
erx3(config-if)#ip address 200.2.0.0 255.255.0.0
erx3(config-if)#exit
The configuration is complete. Now customer A traffic between different cities flows through the public, or untrusted, IP network inside a tunnel, where each packet is encrypted and authenticated. Of course, this example shows the basic secure encapsulation of customer traffic over the untrusted IP network. You can add features such as key refreshing.
Example 2
Example 2, shown in Figure 17, enhances the previous example by having the same ISP-X providing leased line replacement to two customers who use address schemes in the same range. There are two ways to solve scenarios in which different customers use similar IP address schemes:
- One solution is to have different transport virtual routers—a configuration similar to example 1, except that a different VR domain is possible.
- Another solution, as described in this example, simply duplicates the endpoints for the transport VR. This example assumes that the transport VR is the default VR.
To configure the connections as shown in Figure 17:
- On each ERX router, create a protection suite that provides customer A with 3DES encryption and SHA-1 authentication, and customer B with AH authentication using MD5.
- On each ERX router, create a protection suite for the three routers to use to authenticate each other:
- On erx1, create two IPSec tunnels, one to carry customer A's traffic and another to carry customer B's traffic. You must create each pair of tunnels in the virtual routers where the IP interfaces reaching those customers are defined. Create the endpoints for the tunnels in the ISP default virtual router.
erx1(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha
erx1(config)#ipsec transform-set customerBprotection ah-hmac-md5
erx2(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha
erx2(config)#ipsec transform-set customerBprotection ah-hmac-md5
erx3(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha
erx3(config)#ipsec transform-set customerBprotection ah-hmac-md5
erx1(config)#ipsec key manual pre-share 5.2.0.1
erx1(config-manual-key)#key customerASecret
erx1(config-manual-key)#exit
erx1(config)#ipsec key manual pre-share 5.3.0.1
erx1(config-manual-key)#key customerASecret
erx1(config-manual-key)#exit
erx1(config)#ipsec key manual pre-share 5.2.0.2
erx1(config-manual-key)#key customerBSecret
erx1(config-manual-key)#exit
erx1(config)#ipsec key manual pre-share 5.3.0.2
erx1(config-manual-key)#key customerBSecret
erx1(config-manual-key)#exit
erx2(config)#ipsec key manual pre-share 5.1.0.1
erx2(config-manual-key)#key customerASecret
erx2(config-manual-key)#exit
erx2(config)#ipsec key manual pre-share 5.3.0.1
erx2(config-manual-key)#key customerASecret
erx2(config-manual-key)#exit
erx2(config)#ipsec key manual pre-share 5.1.0.2
erx2(config-manual-key)#key customerBSecret
erx2(config-manual-key)#exit
erx2(config)#ipsec key manual pre-share 5.3.0.2
erx2(config-manual-key)#key customerBSecret
erx2(config-manual-key)#exit
erx3(config)#ipsec key manual pre-share 5.1.0.1
erx3(config-manual-key)#key customerASecret
erx3(config-manual-key)#exit
erx3(config)#ipsec key manual pre-share 5.2.0.1
erx3(config-manual-key)#key customerASecret
erx3(config-manual-key)#exit
erx3(config)#ipsec key manual pre-share 5.1.0.2
erx3(config-manual-key)#key customerBSecret
erx3(config-manual-key)#exit
erx3(config)#ipsec key manual pre-share 5.2.0.2
erx3(config-manual-key)#key customerBSecret
erx3(config-manual-key)#exit
erx1(config)#virtual-router vrA
erx1:vrA(config)#
Tunnel from Ottawa to Boston on virtual router A:
erx1:vrA(config)#interface tunnel ipsec:Aottawa2boston transport-virtual-router default
erx1:vrA(config-if)#tunnel transform-set customerAprotection
erx1:vrA(config-if)#tunnel local-identity subnet 10.1.0.0 255.255.0.0
erx1:vrA(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0
erx1:vrA(config-if)#tunnel source 5.1.0.1
erx1:vrA(config-if)#tunnel destination 5.3.0.1
erx1:vrA(config-if)#ip address 10.3.0.0 255.255.0.0
erx1:vrA(config-if)#exit
Tunnel from Ottawa to Boca on virtual router A:
erx1:vrA(config)#interface tunnel ipsec:Aottawa2boca transport-virtual-router default
erx1:vrA(config-if)#tunnel transform-set customerAprotection
erx1:vrA(config-if)#tunnel local-identity subnet 10.1.0.0 255.255.0.0
erx1:vrA(config-if)#tunnel peer-identity subnet 10.2.0.0 255.255.0.0
erx1:vrA(config-if)#tunnel source 5.1.0.1
erx1:vrA(config-if)#tunnel destination 5.2.0.1
erx1:vrA(config-if)#ip address 10.2.0.0 255.255.0.0
erx1:vrA(config-if)#exit
erx1(config)#virtual-router vrB
erx1:vrB(config)#
Tunnel from Ottawa to Boston on virtual router B:
erx1:vrB(config)#interface tunnel ipsec:Bottawa2boston transport-virtual-router default
erx1:vrB(config-if)#tunnel transform-set customerBprotection
erx1:vrB(config-if)#tunnel local-identity subnet 10.1.0.0 255.255.0.0
erx1:vrB(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0
erx1:vrB(config-if)#tunnel source 5.1.0.2
erx1:vrB(config-if)#tunnel destination 5.3.0.2
erx1:vrB(config-if)#ip address 10.3.0.0 255.255.0.0
erx1:vrB(config-if)#exit
Tunnel from Ottawa to Boca on virtual router B:
erx1:vrB(config)#interface tunnel ipsec:Bottawa2boca transport-virtual-router default
erx1:vrB(config-if)#tunnel transform-set customerBprotection
erx1:vrB(config-if)#tunnel local-identity subnet 10.1.0.0 255.255.0.0
erx1:vrB(config-if)#tunnel peer-identity subnet 10.2.0.0 255.255.0.0
erx1:vrB(config-if)#tunnel source 5.1.0.2
erx1:vrB(config-if)#tunnel destination 5.2.0.2
erx1:vrB(config-if)#ip address 10.2.0.0 255.255.0.0
erx1:vrB(config-if)#exit
- On erx2, create two IPSec tunnels, one to carry customer A's traffic and another to carry customer B's traffic. You must create each pair of tunnels in the virtual routers where the IP interfaces reaching those customers are defined. Create the endpoints for the tunnels in the ISP default virtual router.
erx2(config)#virtual-router vrA
erx2:vrA(config)#
Tunnel from Boca to Ottawa on virtual router A:
erx2:vrA(config)#interface tunnel ipsec:Aboca2ottawa transport-virtual-router default
erx2:vrA(config-if)#tunnel transform-set customerAprotection
erx2:vrA(config-if)#tunnel local-identity subnet 10.2.0.0 255.255.0.0
erx2:vrA(config-if)#tunnel peer-identity subnet 10.1.0.0 255.255.0.0
erx2:vrA(config-if)#tunnel source 5.2.0.1
erx2:vrA(config-if)#tunnel destination 5.1.0.1
erx2:vrA(config-if)#ip address 10.1.0.0 255.255.0.0
erx2:vrA(config-if)#exit
Tunnel from Boca to Boston on virtual router A:
erx2:vrA(config)#interface tunnel ipsec:Aboca2boston transport-virtual-router default
erx2:vrA(config-if)#tunnel transform-set customerAprotection
erx2:vrA(config-if)#tunnel local-identity subnet 10.2.0.0 255.255.0.0
erx2:vrA(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0
erx2:vrA(config-if)#tunnel source 5.2.0.1
erx2:vrA(config-if)#tunnel destination 5.3.0.1
erx2:vrA(config-if)#ip address 10.3.0.0 255.255.0.0
erx2:vrA(config-if)#exit
erx2(config)#virtual-router vrB
erx2:vrB(config)#
Tunnel from Boca to Ottawa on virtual router B:
erx2:vrB(config)#interface tunnel ipsec:Bboca2ottawa transport-virtual-router default
erx2:vrB(config-if)#tunnel transform-set customerBprotection
erx2:vrB(config-if)#tunnel local-identity subnet 10.2.0.0 255.255.0.0
erx2:vrB(config-if)#tunnel peer-identity subnet 10.1.0.0 255.255.0.0
erx2:vrB(config-if)#tunnel source 5.2.0.2
erx2:vrB(config-if)#tunnel destination 5.1.0.2
erx2:vrB(config-if)#ip address 10.1.0.0 255.255.0.0
erx2:vrB(config-if)#exit
Tunnel from Boca to Boston on virtual router B:
erx2:vrB(config)#interface tunnel ipsec:Bboca2boston transport-virtual-router default
erx2:vrB(config-if)#tunnel transform-set customerBprotection
erx2:vrB(config-if)#tunnel local-identity subnet 10.2.0.0 255.255.0.0
erx2:vrB(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0
erx2:vrB(config-if)#tunnel source 5.2.0.2
erx2:vrB(config-if)#tunnel destination 5.3.0.2
erx2:vrB(config-if)#ip address 10.3.0.0 255.255.0.0
erx2:vrB(config-if)#exit
- Last, on erx3, create two IPSec tunnels, one to carry customer A's traffic and another to carry customer B's traffic.
erx3(config)#virtual-router vrA
erx3:vrA(config)#
Tunnel from Boston to Ottawa on virtual router A:
erx3:vrA(config)#interface tunnel ipsec:Aboston2ottawa transport-virtual-router default
erx3:vrA(config-if)#tunnel transform-set customerAprotection
erx3:vrA(config-if)#tunnel local-identity subnet 10.3.0.0 255.255.0.0
erx3:vrA(config-if)#tunnel peer-identity subnet 10.1.0.0 255.255.0.0
erx3:vrA(config-if)#tunnel source 5.3.0.1
erx3:vrA(config-if)#tunnel destination 5.1.0.1
erx3:vrA(config-if)#ip address 10.1.0.0 255.255.0.0
erx3:vrA(config-if)#exit
Tunnel from Boston to Boca on virtual router A:
erx3:vrA(config)#interface tunnel ipsec:Aboston2boca transport-virtual-router default
erx3:vrA(config-if)#tunnel transform-set customerAprotection
erx3:vrA(config-if)#tunnel local-identity subnet 10.3.0.0 255.255.0.0
erx3:vrA(config-if)#tunnel peer-identity subnet 10.2.0.0 255.255.0.0
erx3:vrA(config-if)#tunnel source 5.3.0.1
erx3:vrA(config-if)#tunnel destination 5.2.0.1
erx3:vrA(config-if)#ip address 10.1.0.0 255.255.0.0
erx3:vrA(config-if)#exit
erx3(config)#virtual-router vrB
erx3:vrB(config)#
Tunnel from Boston to Ottawa on virtual router B:
erx3:vrB(config)#interface tunnel ipsec:Bboston2ottawa transport-virtual-router default
erx3:vrB(config-if)#tunnel transform-set customerBprotection
erx3:vrB(config-if)#tunnel local-identity subnet 10.3.0.0 255.255.0.0
erx3:vrB(config-if)#tunnel peer-identity subnet 10.1.0.0 255.255.0.0
erx3:vrB(config-if)#tunnel source 5.3.0.1
erx3:vrB(config-if)#tunnel destination 5.1.0.1
erx3:vrB(config-if)#ip address 10.1.0.0 255.255.0.0
erx3:vrB(config-if)#exit
Tunnel from Boston to Boca on virtual router B:
erx3:vrB(config)#interface tunnel ipsec:Bboston2boca transport-virtual-router default
erx3:vrB(config-if)#tunnel transform-set customerBprotection
erx3:vrB(config-if)#tunnel local-identity subnet 10.3.0.0 255.255.0.0
erx3:vrB(config-if)#tunnel peer-identity subnet 10.2.0.0 255.255.0.0
erx3:vrB(config-if)#tunnel source 5.3.0.1
erx3:vrB(config-if)#tunnel destination 5.2.0.1
erx3:vrB(config-if)#ip address 10.2.0.0 255.255.0.0
erx3:vrB(config-if)#exit
The configuration is complete. Customer A's traffic and customer B's traffic can flow through the public, or untrusted, IP network inside a tunnel, where each packet is encrypted and authenticated.