[x]

IPsec configuration examples > Configuring IPsec for RIPng

 

 Next

Configuring IPsec for RIPng

Network requirements

As shown in Figure 136, Router A, Router B, and Router C learn IPv6 routes through RIPng.

Establish an IPsec tunnel between the routers to protect the RIPng packets transmitted in between. Specify the security protocol as ESP, the encryption algorithm as 128-bit AES, and the authentication algorithm as HMAC-SHA1 for the IPsec tunnel.

Figure 131: Network diagram

Requirements analysis

To meet the network requirements, perform the following tasks:

  1. Configure basic RIPng.

    For more information about RIPng configuration, see Layer 3—IP Routing Configuration Guide.

  2. Configure an IPsec profile.

    • The IPsec profiles on all the routers must have IPsec transform sets that use the same security protocol, authentication and encryption algorithms, and encapsulation mode.

    • The SPI and key configured for the inbound SA and those for the outbound SA must be the same on each router.

    • The SPI and key configured for the SAs on all the routers must be the same.

  3. Apply the IPsec profile to a RIPng process or to an interface.

Configuration procedure

  1. Configure Router A:

    # Configure IPv6 addresses for interfaces. (Details not shown.)

    # Configure basic RIPng.

    <RouterA> system-view
[RouterA] ripng 1
[RouterA-ripng-1] quit
[RouterA] interface gigabitethernet 2/0/1
[RouterA-GigabitEthernet2/0/1] ripng 1 enable
[RouterA-GigabitEthernet2/0/1] quit

    # Create and configure the IPsec transform set named tran1.

    [RouterA] ipsec transform-set tran1
[RouterA-ipsec-transform-set-tran1] encapsulation-mode transport
[RouterA-ipsec-transform-set-tran1] protocol esp
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran1] quit

    # Create and configure the IPsec profile named profile001.

    [RouterA] ipsec profile profile001 manual
[RouterA-ipsec-profile-manual-profile001] transform-set tran1
[RouterA-ipsec-profile-manual-profile001] sa spi outbound esp 123456
[RouterA-ipsec-profile-manual-profile001] sa spi inbound esp 123456
[RouterA-ipsec-profile-manual-profile001] sa string-key outbound esp simple abcdefg
[RouterA-ipsec-profile-manual-profile001] sa string-key inbound esp simple abcdefg
[RouterA-ipsec-profile-manual-profile001] quit

    # Apply the IPsec profile to RIPng process 1.

    [RouterA] ripng 1
[RouterA-ripng-1] enable ipsec-profile profile001
[RouterA-ripng-1] quit

  2. Configure Router B:

    # Configure IPv6 addresses for interfaces. (Details not shown.)

    # Configure basic RIPng.

    <RouterB> system-view
[RouterB] ripng 1
[RouterB-ripng-1] quit
[RouterB] interface gigabitethernet 2/0/1
[RouterB-GigabitEthernet2/0/1] ripng 1 enable
[RouterB-GigabitEthernet2/0/1] quit
[RouterB] interface gigabitethernet 2/0/2
[RouterB-GigabitEthernet2/0/2] ripng 1 enable
[RouterB-GigabitEthernet2/0/2] quit

    # Create and configure the IPsec transform set named tran1.

    [RouterB] ipsec transform-set tran1
[RouterB-ipsec-transform-set-tran1] encapsulation-mode transport
[RouterB-ipsec-transform-set-tran1] protocol esp
[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterB-ipsec-transform-set-tran1] quit

    # Create and configure the IPsec profile named profile001.

    [RouterB] ipsec profile profile001 manual
[RouterB-ipsec-profile-manual-profile001] transform-set tran1
[RouterB-ipsec-profile-manual-profile001] sa spi outbound esp 123456
[RouterB-ipsec-profile-manual-profile001] sa spi inbound esp 123456
[RouterB-ipsec-profile-manual-profile001] sa string-key outbound esp simple abcdefg
[RouterB-ipsec-profile-manual-profile001] sa string-key inbound esp simple abcdefg
[RouterB-ipsec-profile-manual-profile001] quit

    # Apply the IPsec profile to RIPng process 1.

    [RouterB] ripng 1
[RouterB-ripng-1] enable ipsec-profile profile001
[RouterB-ripng-1] quit

  3. Configure Router C:

    # Configure IPv6 addresses for interfaces. (Details not shown.)

    # Configure basic RIPng.

    <RouterC> system-view
[RouterC] ripng 1
[RouterC-ripng-1] quit
[RouterC] interface gigabitethernet 2/0/1
[RouterC-GigabitEthernet2/0/1] ripng 1 enable
[RouterC-GigabitEthernet2/0/1] quit

    # Create and configure the IPsec transform set named tran1.

    [RouterC] ipsec transform-set tran1
[RouterC-ipsec-transform-set-tran1] encapsulation-mode transport
[RouterC-ipsec-transform-set-tran1] protocol esp
[RouterC-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[RouterC-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterC-ipsec-transform-set-tran1] quit

    # Create and configure the IPsec profile named profile001.

    [RouterC] ipsec profile profile001 manual
[RouterC-ipsec-profile-manual-profile001] transform-set tran1
[RouterC-ipsec-profile-manual-profile001] sa spi outbound esp 123456
[RouterC-ipsec-profile-manual-profile001] sa spi inbound esp 123456
[RouterC-ipsec-profile-manual-profile001] sa string-key outbound esp simple abcdefg
[RouterC-ipsec-profile-manual-profile001] sa string-key inbound esp simple abcdefg
[RouterC-ipsec-profile-manual-profile001] quit

    # Apply the IPsec profile to RIPng process 1.

    [RouterC] ripng 1
[RouterC-ripng-1] enable ipsec-profile profile001
[RouterC-ripng-1] quit

Verifying the configuration

After the configuration is completed, Router A, Router B, and Router C learn IPv6 routing information through RIPng. IPsec SAs are set up successfully on the routers to protect RIPng packets. This example uses Router A to verify the configuration.

# Use the display ripng command to display the RIPng configuration. The output shows that the IPsec profile profile001 has been applied to RIPng process 1.

[RouterA] display ripng 1
    RIPng process : 1
       Preference : 100
       Checkzero : Enabled
       Default Cost : 0
       Maximum number of balanced paths : 8
       Update time   :   30 sec(s)  Timeout time         :  180 sec(s)
       Suppress time :  120 sec(s)  Garbage-Collect time :  120 sec(s)
       Number of periodic updates sent : 186
       Number of trigger updates sent : 1
       IPsec profile name: profile001

# Use the display ipsec sa command to display the established IPsec SAs.

[RouterA] display ipsec sa
-------------------------------
Global IPsec SA
-------------------------------

  -----------------------------
  IPsec profile: profile001
  Mode: Manual
  -----------------------------
    Encapsulation mode: transport
    [Inbound ESP SA]
      SPI: 123456 (0x3039)
      Connection ID: 1
      Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
      No duration limit for this SA
    [Outbound ESP SA]
      SPI: 123456 (0x3039)
      Connection ID: 2
      Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
      No duration limit for this SA

prev

 

up

 next

Configuring an IKE-based IPsec tunnel for IPv6 packets  

home

 Configuring IPsec RRI

© Copyright 2017 Hewlett Packard Enterprise Development LP