[x]

IPsec configuration examples > Configuring an IKE-based IPsec tunnel for IPv6 packets

 

 Next

Configuring an IKE-based IPsec tunnel for IPv6 packets

Network requirements

As shown in Figure 135, establish an IPsec tunnel between Router A and Router B to protect data flows between subnet 333::/64 and subnet 555::/64. Configure the IPsec tunnel as follows:

Figure 130: Network diagram

Configuration procedure

  1. Configure Router A:

    # Configure IPv6 addresses for interfaces. (Details not shown.)

    # Configure an IPv6 advanced ACL to identify data flows from subnet 333::/64 to subnet 555::/64.

    <RouterA> system-view
[RouterA] acl ipv6 advanced 3101
[RouterA-acl-ipv6-adv-3101] rule permit ipv6 source 333::0 64 destination 555::0 64
[RouterA-acl-ipv6-adv-3101] quit

    # Configure a static route to Host B. The command uses the direct next hop address (111::2) as an example.

    [RouterA] ipv6 route-static 555::0 64 111::2

    # Create an IPsec transform set named tran1.

    [RouterA] ipsec transform-set tran1

    # Specify the encapsulation mode as tunnel.

    [RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel

    # Specify the security protocol as ESP.

    [RouterA-ipsec-transform-set-tran1] protocol esp

    # Specify the ESP encryption and authentication algorithms.

    [RouterA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran1] quit

    # Create and configure the IKE keychain named keychain1.

    [RouterA] ike keychain keychain1
[RouterA-ike-keychain-keychain1] pre-shared-key address ipv6 222::1 64 key simple 123456TESTplat&!
[RouterA-ike-keychain-keychain1] quit

    # Create and configure the IKE profile named profile1.

    [RouterA] ike profile profile1
[RouterA-ike-profile-profile1] keychain keychain1
[RouterA-ike-profile-profile1] match remote identity address ipv6 222::1 64
[RouterA-ike-profile-profile1] quit

    # Create an IKE-based IPsec policy entry. Specify the policy name as map1 and set the sequence number to 10.

    [RouterA] ipsec ipv6-policy map1 10 isakmp

    # Apply IPv6 ACL 3101.

    [RouterA-ipsec-ipv6-policy-isakmp-map1-10] security acl ipv6 3101

    # Apply the IPsec transform set tran1.

    [RouterA-ipsec-ipv6-policy-isakmp-map1-10] transform-set tran1

    # Specify the local and remote IPv6 addresses of the IPsec tunnel as 111::1 and 222::1.

    [RouterA-ipsec-ipv6-policy-isakmp-map1-10] local-address ipv6 111::1
[RouterA-ipsec-ipv6-policy-isakmp-map1-10] remote-address ipv6 222::1

    # Apply the IKE profile profile1.

    [RouterA-ipsec-ipv6-policy-isakmp-map1-10] ike-profile profile1
[RouterA-ipsec-ipv6-policy-isakmp-map1-10] quit

    # Apply the IPsec policy map1 to interface GigabitEthernet 2/0/2.

    [RouterA] interface gigabitethernet 2/0/2
[RouterA-GigabitEthernet2/0/2] ipv6 address 111::1/64 
[RouterA-GigabitEthernet2/0/2] ipsec apply ipv6-policy map1
[RouterA-GigabitEthernet2/0/2] quit

  2. Configure Router B:

    # Configure IPv6 addresses for interfaces. (Details not shown.)

    # Configure an IPv6 advanced ACL to identify data flows from subnet 555::/64 to subnet 333::/64.

    <RouterB> system-view
[RouterB] acl ipv6 advanced 3101
[RouterB-acl-ipv6-adv-3101] rule permit ipv6 source 555::/64 destination 333::/64
[RouterB-acl-ipv6-adv-3101] quit

    # Configure a static route to Host A. The command uses the direct next hop address (222::2) as an example.

    [RouterB] ipv6 route-static 333::0 64 222::2

    # Create an IPsec transform set named tran1.

    [RouterB] ipsec transform-set tran1

    # Specify the encapsulation mode as tunnel.

    [RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel

    # Specify the security protocol as ESP.

    [RouterB-ipsec-transform-set-tran1] protocol esp

    # Specify the ESP encryption and authentication algorithms.

    [RouterB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterB-ipsec-transform-set-tran1] quit

    # Create and configure the IKE keychain named keychain1.

    [RouterB] ike keychain keychain1
[RouterB-ike-keychain-keychain1] pre-shared-key address ipv6 111::1 64 key simple 123456TESTplat&!
[RouterB-ike-keychain-keychain1] quit

    # Create and configure the IKE profile named profile1.

    [RouterB] ike profile profile1
[RouterB-ike-profile-profile1] keychain keychain1
[RouterB-ike-profile-profile1] match remote identity address ipv6 111::1 64
[RouterB-ike-profile-profile1] quit

    # Create an IKE-based IPsec policy entry. Specify the policy name as use1 and set the sequence number to 10.

    [RouterB] ipsec ipv6-policy use1 10 isakmp

    # Apply ACL 3101.

    [RouterB-ipsec-ipv6-policy-isakmp-use1-10] security acl ipv6 3101

    # Apply the IPsec transform set tran1.

    [RouterB-ipsec-ipv6-policy-isakmp-use1-10] transform-set tran1

    # Specify the local and remote IPv6 addresses of the IPsec tunnel as 222::1 and 111::1.

    [RouterB-ipsec-ipv6-policy-isakmp-use1-10] local-address ipv6 222::1
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] remote-address ipv6 111::1

    # Apply the IKE profile profile1.

    [RouterB-ipsec-ipv6-policy-isakmp-use1-10] ike-profile profile1
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] quit

    # Apply the IPsec policy use1 to interface GigabitEthernet 2/0/2.

    [RouterB] interface gigabitethernet 2/0/2
[RouterB-GigabitEthernet2/0/2] ipv6 address 222::1/64
[RouterB-GigabitEthernet2/0/2] ipsec apply ipv6-policy use1
[RouterB-GigabitEthernet2/0/2] quit

Verifying the configuration

# Initiate a connection from subnet 333::/64 to subnet 555::/64 to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, the traffic between the two subnets is IPsec protected.

# Use the display ipsec sa command to display IPsec SAs on Router A and Router B. This example uses Router A to verify the configuration.

[RouterA] display ipsec sa
-------------------------------
Interface: GigabitEthernet2/0/2
-------------------------------

  -----------------------------
  IPsec policy: map1
  Sequence number: 10
  Mode: ISAKMP
  -----------------------------
    Tunnel id: 0
    Encapsulation mode: tunnel
    Perfect Forward Secrecy:
    Inside VRF:
    Path MTU: 1423
    Tunnel:
        local  address: 111::1
        remote address: 222::1
    Flow:
    sour addr: 111::1/0      port: 0  protocol: ipv6
    dest addr: 222::1/0      port: 0  protocol: ipv6

    [Inbound ESP SAs]
      SPI: 3769702703 (0xe0b1192f)
      Connection ID: 1
      Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
      SA duration (kilobytes/sec): 3000/28800
      SA remaining duration (kilobytes/sec): 2300/797
      Max received sequence-number: 1
      Anti-replay check enable: N
      Anti-replay window size: 
      UDP encapsulation used for NAT traversal: N
      Status: Active

    [Outbound ESP SAs]
      SPI: 3840956402 (0xe4f057f2)
      Connection ID: 2
      Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
      SA duration (kilobytes/sec): 3000/28800
      SA remaining duration (kilobytes/sec): 2312/797
      Max sent sequence-number: 1
      UDP encapsulation used for NAT traversal: N
      Status: Active

prev

 

up

 next

Configuring an IKE-based IPsec tunnel for IPv4 packets 

home

 Configuring IPsec for RIPng

© Copyright 2017 Hewlett Packard Enterprise Development LP