Aggressive mode with RSA signature authentication configuration example

This configuration example is not available when the device is operating in FIPS mode.

Network requirements

As shown in Figure 98, configure an IKE-based IPsec tunnel between Switch A and Switch B to secure the communication in between.

Configure Switch A and Switch B to use aggressive mode for IKE negotiation phase 1 and use RSA signature authentication.

Figure 97: Network diagram

Configuration procedure

  1. Configure Switch A:

    # Configure an IP address for VLAN-interface 1.

    <SwitchA> system-view
    [SwitchA] interface vlan-interface 1
    [SwitchA-vlan-interface1] ip address 1.1.1.1 255.255.255.0
    [SwitchA-vlan-interface1] quit
    

    # Configure ACL 3101 to identify traffic between Switch A and Switch B.

    [SwitchA] acl advanced 3101
    [SwitchA-acl-ipv4-adv-3101] rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0
    [SwitchA-acl-ipv4-adv-3101] quit
    

    # Create an IPsec transform set named tran1.

    [SwitchA] ipsec transform-set tran1
    

    # Set the packet encapsulation mode to tunnel.

    [SwitchA-ipsec-transform-set-tran1] encapsulation-mode tunnel
    

    # Use the ESP protocol for the IPsec transform set.

    [SwitchA-ipsec-transform-set-tran1] protocol esp
    

    # Specify the encryption and authentication algorithms.

    [SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
    [SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
    [SwitchA-ipsec-transform-set-tran1] quit
    

    # Create a PKI entity named entity1.

    [SwitchA] pki entity entity1
    

    # Set the common name to switcha for the PKI entity.

    [SwitchA-pki-entity-entity1] common-name switcha
    [SwitchA-pki-entity-entity1] quit
    

    # Create a PKI domain named domain1.

    [SwitchA] pki domain domain1
    

    # Set the certificate request mode to auto and set the password to 123 for certificate revocation.

    [SwitchA-pki-domain-domain1] certificate request mode auto password simple 123
    

    # Set an MD5 fingerprint for verifying the validity of the CA root certificate.

    [SwitchA-pki-domain-domain1] root-certificate fingerprint md5 50c7a2d282ea710a449eede6c56b102e
    

    # Specify the trusted CA 8088.

    [SwitchA-pki-domain-domain1] ca identifier 8088
    

    # Specify the URL of the registration server for certificate request through the SCEP protocol. This example uses http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7.

    [SwitchA-pki-domain-domain1] certificate request url http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7
    

    # Specify the CA to accept certificate requests.

    [SwitchA-pki-domain-domain1] certificate request from ca
    

    # Specify the PKI entity for certificate request as entity1.

    [SwitchA-pki-domain-domain1] certificate request entity entity1
    

    # Specify the RSA key pair rsa1 with the general purpose for certificate request.

    [SwitchA-pki-domain-domain1] public-key rsa general name rsa1
    [SwitchA-pki-domain-domain1] quit
    

    # Create an IKE profile named profile1.

    [SwitchA] ike profile profile1
    

    # Specify PKI domain domain1 for the IKE profile.

    [SwitchA-ike-profile-profile1] certificate domain domain1
    

    # Specify that IKE negotiation operates in aggressive mode.

    [SwitchA-ike-profile-profile1] exchange-mode aggressive
    

    # Set the local identity to the FQDN name www.switcha.com.

    [SwitchA-ike-profile-profile1] local-identity fqdn www.switcha.com
    

    # Configure a peer ID with the identity type of FQDN name and the value of www.switchb.com.

    [SwitchA-ike-profile-profile1] match remote identity fqdn www.switchb.com
    [SwitchA-ike-profile-profile1] quit
    

    # Create an IKE proposal named 10.

    [SwitchA] ike proposal 10
    

    # Specify the authentication algorithm as HMAC-MD5.

    [SwitchA-ike-proposal-10] authentication-algorithm md5
    

    # Specify the RSA authentication method.

    [SwitchA-ike-proposal-10] authentication-method rsa-signature
    [SwitchA-ike-proposal-10] quit
    

    # Create an IKE-based IPsec policy entry. Specify the policy name as map1 and set the sequence number to 10.

    [SwitchA] ipsec policy map1 10 isakmp
    

    # Specify the remote IP address 2.2.2.2 for the IPsec tunnel.

    [SwitchA-ipsec-policy-isakmp-map1-10] remote-address 2.2.2.2
    

    # Specify IPsec transform set tran1 for the IPsec policy.

    [SwitchA-ipsec-policy-isakmp-map1-10] transform-set tran1
    

    # Specify ACL 3101 to identify the traffic to be protected.

    [SwitchA-ipsec-policy-isakmp-map1-10] security acl 3101
    

    # Specify IKE profile profile1 for the IPsec policy.

    [SwitchA-ipsec-policy-isakmp-map1-10] ike-profile profile1
    [SwitchA-ipsec-policy-isakmp-map1-10] quit
    

    # Apply IPsec policy map1 to VLAN-interface 1.

    [SwitchA] interface vlan-interface 1
    [SwitchA-Vlan-interface1] ipsec apply policy map1
    

    # Specify a service module or an Ethernet interface module for forwarding the traffic on the interface.

    [SwitchA-Vlan-interface1] service slot 3
    [SwitchA-Vlan-interface1] quit
    
  2. Configure Switch B:

    # Configure an IP address for VLAN-interface 1.

    <SwitchB> system-view
    [SwitchB] interface Vlan-interface1
    [SwitchB-Vlan-interface1] ip address 2.2.2.2 255.255.255.0
    [SwitchB-Vlan-interface1] quit
    

    # Configure ACL 3101 to identify traffic between Switch B and Switch A.

    [SwitchB] acl advanced 3101
    [SwitchB-acl-ipv4-adv-3101] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.1 0
    [SwitchB-acl-ipv4-adv-3101] quit
    

    # Create an IPsec transform set named tran1.

    [SwitchB] ipsec transform-set tran1
    

    # Set the packet encapsulation mode to tunnel.

    [SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel
    

    # Use the ESP protocol for the IPsec transform set.

    [SwitchB-ipsec-transform-set-tran1] protocol esp
    

    # Specify the encryption and authentication algorithms.

    [SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
    [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
    [SwitchB-ipsec-transform-set-tran1] quit
    

    # Create a PKI entity named entity2.

    [SwitchB] pki entity entity2
    

    # Set the common name to switchb for the PKI entity.

    [SwitchB-pki-entity-entity2] common-name switchb
    [SwitchB-pki-entity-entity1] quit
    

    # Create a PKI domain named domain2.

    [SwitchB] pki domain domain2
    

    # Set the certificate request mode to auto and set the password to 123 for certificate revocation.

    [SwitchB-pki-domain-domain2] certificate request mode auto password simple 123
    

    # Set an MD5 fingerprint for verifying the validity of the CA root certificate.

    [SwitchB-pki-domain-domain2] root-certificate fingerprint md5 50c7a2d282ea710a449eede6c56b102e
    

    # Specify the trusted CA 8088.

    [SwitchB-pki-domain-domain2] ca identifier 8088
    

    # Specify the URL of the registration server for certificate request through the SCEP protocol. This example uses http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7.

    [SwitchB-pki-domain-domain2] certificate request url http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7
    

    # Specify the CA to accept certificate requests.

    [SwitchB-pki-domain-domain2] certificate request from ca
    

    # Specify the PKI entity for certificate request as entity2.

    [SwitchB-pki-domain-domain2] certificate request entity entity2
    

    # Specify the RSA key pair rsa1 with the general purpose for certificate request.

    [SwitchB-pki-domain-domain2] public-key rsa general name rsa1
    [SwitchB-pki-domain-domain2] quit
    

    # Create an IKE profile named profile2.

    [SwitchB] ike profile profile2
    

    # Specify PKI domain domain2.

    [SwitchB-ike-profile-profile2] certificate domain domain2
    

    # Set the local identity to the FQDN name www.switchb.com.

    [SwitchB-ike-profile-profile2] local-identity fqdn www.switchb.com
    

    # Configure a peer ID with the identity type of FQDN name and the value of www.switcha.com.

    [SwitchB-ike-profile-profile2] match remote identity fqdn www.switcha.com
    [SwitchB-ike-profile-profile2] quit
    

    # Create an IKE proposal named 10.

    [SwitchB] ike proposal 10
    

    # Specify the authentication algorithm as HMAC-MD5.

    [SwitchB-ike-proposal-10] authentication-algorithm md5
    

    # Specify the RSA signature authentication method.

    [SwitchB-ike-proposal-10] authentication-method rsa-signature
    [SwitchB-ike-proposal-10] quit
    

    # Create an IPsec policy template entry. Specify the template name as template1 and set the sequence number to 1.

    [SwitchB] ipsec policy-template template1 1
    

    # Specify IPsec transform set tran1 for the IPsec policy template.

    [SwitchB-ipsec-policy-template-template1-1] transform-set tran1
    

    # Specify IKE profile profile2 for the IPsec policy template.

    [SwitchB-ipsec-policy-template-template1-1] ike-profile profile2
    [SwitchB-ipsec-policy-template-template1-1] quit
    

    # Create an IKE-based IPsec policy entry by using IPsec policy template template1. Specify the policy name as use1 and set the sequence number to 1.

    [SwitchB] ipsec policy use1 1 isakmp template template1
    

    # Apply IPsec policy use1 to VLAN-interface 1.

    [SwitchB] interface vlan-interface 1
    [SwitchB-Vlan-interface1] ipsec apply policy use1
    

    # Specify a service module or an Ethernet interface module for forwarding the traffic on the interface.

    [SwitchB-Vlan-interface1] service slot 3
    [SwitchB-Vlan-interface1] quit
    

Verifying the configuration

# Initiate a connection from Switch A to Switch B to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, traffic between the two switches is IPsec protected.