[x]

IPsec configuration examples > Configuring IPsec for RIPng

 

 Next

Configuring IPsec for RIPng

Network requirements

As shown in Figure 94, Switch A, Switch B, and Switch C learn IPv6 routes through RIPng.

Establish an IPsec tunnel between the switches to protect the RIPng packets transmitted in between. Specify the security protocol as ESP, the encryption algorithm as 128-bit AES, and the authentication algorithm as HMAC-SHA1 for the IPsec tunnel.

Figure 93: Network diagram

Requirements analysis

To meet the network requirements, perform the following tasks:

  1. Configure basic RIPng.

    For more information about RIPng configurations, see Layer 3—IP Routing Configuration Guide.

  2. Configure an IPsec profile.

    • The IPsec profiles on all the switches must have IPsec transform sets that use the same security protocol, authentication and encryption algorithms, and encapsulation mode.

    • The SPI and key configured for the inbound SA and those for the outbound SA must be the same on each switch.

    • The SPI and key configured for the SAs on all the switches must be the same.

  3. Apply the IPsec profile to a RIPng process or to an interface.

Configuration procedure

  1. Configure Switch A:

    # Configure IPv6 addresses for interfaces. (Details not shown.)

    # Configure basic RIPng.

    <SwitchA> system-view
[SwitchA] ripng 1
[SwitchA-ripng-1] quit
[SwitchA] interface vlan-interface 100
[SwitchA-Vlan-interface100] ripng 1 enable
[SwitchA-Vlan-interface100] quit

    # Create and configure the IPsec transform set named tran1.

    [SwitchA] ipsec transform-set tran1
[SwitchA-ipsec-transform-set-tran1] encapsulation-mode transport
[SwitchA-ipsec-transform-set-tran1] protocol esp
[SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[SwitchA-ipsec-transform-set-tran1] quit

    # Create and configure the IPsec profile named profile001.

    [SwitchA] ipsec profile profile001 manual
[SwitchA-ipsec-profile-profile1001] transform-set tran1
[SwitchA-ipsec-profile-profile1001] sa spi outbound esp 123456
[SwitchA-ipsec-profile-profile1001] sa spi inbound esp 123456
[SwitchA-ipsec-profile-profile1001] sa string-key outbound esp simple abcdefg
[SwitchA-ipsec-profile-profile1001] sa string-key inbound esp simple abcdefg
[SwitchA-ipsec-profile-profile1001] quit

    # Apply the IPsec profile to RIPng process 1.

    [SwitchA] ripng 1
[SwitchA-ripng-1] enable ipsec-profile profile001
[SwitchA-ripng-1] quit

  2. Configure Switch B:

    # Configure IPv6 addresses for interfaces. (Details not shown.)

    # Configure basic RIPng.

    <SwitchB> system-view
[SwitchB] ripng 1
[SwitchB-ripng-1] quit
[SwitchB] interface vlan-interface 200
[SwitchB-Vlan-interface200] ripng 1 enable
[SwitchB-Vlan-interface200] quit
[SwitchB] interface vlan-interface 100
[SwitchB-Vlan-interface100] ripng 1 enable
[SwitchB-Vlan-interface100] quit

    # Create and configure the IPsec transform set named tran1.

    [SwitchB] ipsec transform-set tran1
[SwitchB-ipsec-transform-set-tran1] encapsulation-mode transport
[SwitchB-ipsec-transform-set-tran1] protocol esp
[SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[SwitchB-ipsec-transform-set-tran1] quit

    # Create and configure the IPsec profile named profile001.

    [SwitchB] ipsec profile profile001 manual
[SwitchB-ipsec-profile-profile001] transform-set tran1
[SwitchB-ipsec-profile-profile001] sa spi outbound esp 123456
[SwitchB-ipsec-profile-profile001] sa spi inbound esp 123456
[SwitchB-ipsec-profile-profile001] sa string-key outbound esp simple abcdefg
[SwitchB-ipsec-profile-profile001] sa string-key inbound esp simple abcdefg
[SwitchB-ipsec-profile-profile001] quit

    # Apply the IPsec profile to RIPng process 1.

    [SwitchB] ripng 1
[SwitchB-ripng-1] enable ipsec-profile profile001
[SwitchB-ripng-1] quit

  3. Configure Switch C:

    # Configure IPv6 addresses for interfaces. (Details not shown.)

    # Configure basic RIPng.

    <SwitchC> system-view
[SwitchC] ripng 1
[SwitchC-ripng-1] quit
[SwitchC] interface vlan-interface 200
[SwitchC-Vlan-interface200] ripng 1 enable
[SwitchC-Vlan-interface200] quit

    # Create and configure the IPsec transform set named tran1.

    [SwitchC] ipsec transform-set tran1
[SwitchC-ipsec-transform-set-tran1] encapsulation-mode transport
[SwitchC-ipsec-transform-set-tran1] protocol esp
[SwitchC-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[SwitchC-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[SwitchC-ipsec-transform-set-tran1] quit

    # Create and configure the IPsec profile named profile001.

    [SwitchC] ipsec profile profile001 manual
[SwitchC-ipsec-profile-profile001] transform-set tran1
[SwitchC-ipsec-profile-profile001] sa spi outbound esp 123456
[SwitchC-ipsec-profile-profile001] sa spi inbound esp 123456
[SwitchC-ipsec-profile-profile001] sa string-key outbound esp simple abcdefg
[SwitchC-ipsec-profile-profile001] sa string-key inbound esp simple abcdefg
[SwitchC-ipsec-profile-profile001] quit

    # Apply the IPsec profile to RIPng process 1.

    [SwitchC] ripng 1
[SwitchC-ripng-1] enable ipsec-profile profile001
[SwitchC-ripng-1] quit

Verifying the configuration

After the configuration is completed, Switch A, Switch B, and Switch C learn IPv6 routing information through RIPng. IPsec SAs are set up successfully on the switches to protect RIPng packets. This example uses Switch A to verify the configuration.

# Use the display ripng command to display the RIPng configuration. The output shows that IPsec profile profile001 has been applied to RIPng process 1.

[SwitchA] display ripng 1
    RIPng process : 1
       Preference : 100
       Checkzero : Enabled
       Default Cost : 0
       Maximum number of balanced paths : 8
       Update time   :   30 sec(s)  Timeout time         :  180 sec(s)
       Suppress time :  120 sec(s)  Garbage-Collect time :  120 sec(s)
       Number of periodic updates sent : 186
       Number of trigger updates sent : 1
       IPsec profile name: profile001

# Use the display ipsec sa command to display the established IPsec SAs.

[SwitchA] display ipsec sa
-------------------------------
Global IPsec SA
-------------------------------

  -----------------------------
  IPsec profile: profile001
  Mode: Manual
  -----------------------------
    Encapsulation mode: transport
    [Inbound ESP SA]
      SPI: 123456 (0x3039)
      Connection ID: 1
      Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
      No duration limit for this SA
    [Outbound ESP SA]
      SPI: 123456 (0x3039)
      Connection ID: 2
      Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
      No duration limit for this SA

prev

 

up

 next

IPsec configuration examples 

home

 Configuring IKE

© Copyright 2016 Hewlett Packard Enterprise Development LP