3Com Router User Manual
Here you can view all the pages of manual 3Com Router User Manual. The 3Com manuals for Router are available online for free. You can easily download all the documents as PDF.
Page 581
IPSec Configuration Example577 Displaying and Debugging the crypto card Use the debugging, reset and display command in all views. Ta b l e 655 Display and Debug NDEC Card IPSec Configuration ExampleThe following sections demonstrate the following IPSec configurations: ■Creating an SA Manually ■Creating an SA in IKE Negotiation Mode ■Encrypting, Decrypting, and Authenticating NDEC Cards Creating an SA ManuallyEstablish a security tunnel between Router-A and Router-B to perform security protection for...
Page 582
![Page 582
578CHAPTER 40: CONFIGURING IPSEC
Figure 174 Networking diagram of manually creating SA
Prior to the configuration, you should ensure that Router A and Router B can
interwork at the network layer through a serial interface.
1Configure Router A:
aConfigure an access list and define the data stream from Subnet 10.1.1x to
Subnet 10.1.2x.
[RouterA] acl 101 permit
[RouterA-acl-101] rule permit ip source 10.1.1.0 0.0.0.255
destination 10.1.2.0 0.0.0.255
[RouterA-acl-101] rule deny ip source any...](http://img.usermanuals.tech/thumb/92/102800/w300_index.html@nav=null&now=get&message=Downloading&file=3012-581.png "Page 582
578CHAPTER 40: CONFIGURING IPSEC
Figure 174 Networking diagram of manually creating SA
Prior to the configuration, you should ensure that Router A and Router B can
interwork at the network layer through a serial interface.
1Configure Router A:
aConfigure an access list and define the data stream from Subnet 10.1.1x to
Subnet 10.1.2x.
[RouterA] acl 101 permit
[RouterA-acl-101] rule permit ip source 10.1.1.0 0.0.0.255
destination 10.1.2.0 0.0.0.255
[RouterA-acl-101] rule deny ip source any...")
578CHAPTER 40: CONFIGURING IPSEC Figure 174 Networking diagram of manually creating SA Prior to the configuration, you should ensure that Router A and Router B can interwork at the network layer through a serial interface. 1Configure Router A: aConfigure an access list and define the data stream from Subnet 10.1.1x to Subnet 10.1.2x. [RouterA] acl 101 permit [RouterA-acl-101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [RouterA-acl-101] rule deny ip source any...
Page 583
![Page 583
IPSec Configuration Example579
lApply security policy group on serial interface
[RouterA]interface serial 0
[RouterA-Serial0] ipsec policy policy1
[RouterA-Serial0] ip address 202.38.163.1 255.255.255.0
mConfigure the route.
[RouterA] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1
2Configure Router B:
aConfigure an access list and define the data stream from Subnet 10.1.2x to
Subnet 10.1.1x.
[RouterB] acl 101
[RouterB-acl-101] rule permit ip source 10.1.2.0 0.0.0.255
destination 10.1.1.0...](http://img.usermanuals.tech/thumb/92/102800/w300_index.html@nav=null&now=get&message=Downloading&file=3012-582.png "Page 583
IPSec Configuration Example579
lApply security policy group on serial interface
[RouterA]interface serial 0
[RouterA-Serial0] ipsec policy policy1
[RouterA-Serial0] ip address 202.38.163.1 255.255.255.0
mConfigure the route.
[RouterA] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1
2Configure Router B:
aConfigure an access list and define the data stream from Subnet 10.1.2x to
Subnet 10.1.1x.
[RouterB] acl 101
[RouterB-acl-101] rule permit ip source 10.1.2.0 0.0.0.255
destination 10.1.1.0...")
IPSec Configuration Example579 lApply security policy group on serial interface [RouterA]interface serial 0 [RouterA-Serial0] ipsec policy policy1 [RouterA-Serial0] ip address 202.38.163.1 255.255.255.0 mConfigure the route. [RouterA] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1 2Configure Router B: aConfigure an access list and define the data stream from Subnet 10.1.2x to Subnet 10.1.1x. [RouterB] acl 101 [RouterB-acl-101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0...
Page 584
![Page 584
580CHAPTER 40: CONFIGURING IPSEC
[RouterB-Serial0] ipsec policy use1
[RouterB-Serial0] ip address 202.38.162.1 255.255.255.0
oConfigure the route.
[RouterB] ip route-static 10.1.1.0 255.255.255.0 202.38.163.1
After the configuration is complete and the security tunnel between Router A and
Router B is established, the data stream between Subnet 10.1.1.x and Subnet
10.1.2.x will be transmitted with encryption.
Creating an SA in IKE
Negotiation ModeEstablish a security tunnel between Router A and Router...](http://img.usermanuals.tech/thumb/92/102800/w300_index.html@nav=null&now=get&message=Downloading&file=3012-583.png "Page 584
580CHAPTER 40: CONFIGURING IPSEC
[RouterB-Serial0] ipsec policy use1
[RouterB-Serial0] ip address 202.38.162.1 255.255.255.0
oConfigure the route.
[RouterB] ip route-static 10.1.1.0 255.255.255.0 202.38.163.1
After the configuration is complete and the security tunnel between Router A and
Router B is established, the data stream between Subnet 10.1.1.x and Subnet
10.1.2.x will be transmitted with encryption.
Creating an SA in IKE
Negotiation ModeEstablish a security tunnel between Router A and Router...")
580CHAPTER 40: CONFIGURING IPSEC [RouterB-Serial0] ipsec policy use1 [RouterB-Serial0] ip address 202.38.162.1 255.255.255.0 oConfigure the route. [RouterB] ip route-static 10.1.1.0 255.255.255.0 202.38.163.1 After the configuration is complete and the security tunnel between Router A and Router B is established, the data stream between Subnet 10.1.1.x and Subnet 10.1.2.x will be transmitted with encryption. Creating an SA in IKE Negotiation ModeEstablish a security tunnel between Router A and Router...
Page 585
![Page 585
IPSec Configuration Example581
[RouterA]interface serial 0
lConfigure ip address of the serial interface
[RouterA-Serial0] ip address 202.38.163.1 255.255.255.0
mApply security policy group on serial interface
[RouterA-Serial0] ipsec policy policy1
nConfigure the route.
[RouterA] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1
oConfigure corresponding IKE
[RouterA] ike pre-shared-key abcde remote 202.38.162.1
2Configure Router B:
aConfigure an access list and define the data stream from Subnet...](http://img.usermanuals.tech/thumb/92/102800/w300_index.html@nav=null&now=get&message=Downloading&file=3012-584.png "Page 585
IPSec Configuration Example581
[RouterA]interface serial 0
lConfigure ip address of the serial interface
[RouterA-Serial0] ip address 202.38.163.1 255.255.255.0
mApply security policy group on serial interface
[RouterA-Serial0] ipsec policy policy1
nConfigure the route.
[RouterA] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1
oConfigure corresponding IKE
[RouterA] ike pre-shared-key abcde remote 202.38.162.1
2Configure Router B:
aConfigure an access list and define the data stream from Subnet...")
IPSec Configuration Example581 [RouterA]interface serial 0 lConfigure ip address of the serial interface [RouterA-Serial0] ip address 202.38.163.1 255.255.255.0 mApply security policy group on serial interface [RouterA-Serial0] ipsec policy policy1 nConfigure the route. [RouterA] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1 oConfigure corresponding IKE [RouterA] ike pre-shared-key abcde remote 202.38.162.1 2Configure Router B: aConfigure an access list and define the data stream from Subnet...
Page 586
![Page 586
582CHAPTER 40: CONFIGURING IPSEC
mConfigure corresponding IKE
[RouterB] ike pre-shared-key abcde remote 202.38.163.1
After the above configurations are completed, if the messages between Subnet
10.1.1.x and Subnet 10.1.2x transmits between Router-A and Router-B, IKE will be
triggered to negotiate to establish SA. After IKE negotiates successfully and SA is
established, the data stream between Subnet 10.1.1.x and Subnet 10.1.2.x will be
transmitted with encryption.
Encrypting, Decrypting,
and...](http://img.usermanuals.tech/thumb/92/102800/w300_index.html@nav=null&now=get&message=Downloading&file=3012-585.png "Page 586
582CHAPTER 40: CONFIGURING IPSEC
mConfigure corresponding IKE
[RouterB] ike pre-shared-key abcde remote 202.38.163.1
After the above configurations are completed, if the messages between Subnet
10.1.1.x and Subnet 10.1.2x transmits between Router-A and Router-B, IKE will be
triggered to negotiate to establish SA. After IKE negotiates successfully and SA is
established, the data stream between Subnet 10.1.1.x and Subnet 10.1.2.x will be
transmitted with encryption.
Encrypting, Decrypting,
and...")
582CHAPTER 40: CONFIGURING IPSEC mConfigure corresponding IKE [RouterB] ike pre-shared-key abcde remote 202.38.163.1 After the above configurations are completed, if the messages between Subnet 10.1.1.x and Subnet 10.1.2x transmits between Router-A and Router-B, IKE will be triggered to negotiate to establish SA. After IKE negotiates successfully and SA is established, the data stream between Subnet 10.1.1.x and Subnet 10.1.2.x will be transmitted with encryption. Encrypting, Decrypting, and...
Page 587
![Page 587
IPSec Configuration Example583
[RouterA-ipsec-policy-policy1-10] security acl 101
iSet remote address.
[RouterA-ipsec-policy-policy1-10] tunnel remote 202.38.162.1
jSet local address.
[RouterA-ipsec-policy-policy1-10] tunnel local 202.38.163.1
kQuote IPSec proposal.
[RouterA-ipsec-policy-policy1-10] proposal tran1
lSet SPI.
[RouterA-ipsec-policy-policy1-10] sa outbound esp spi 12345
[RouterA-ipsec-policy-policy1-10] sa inbound esp spi 54321
mSet encryption key.
[RouterA-ipsec-policy-policy1-10] sa...](http://img.usermanuals.tech/thumb/92/102800/w300_index.html@nav=null&now=get&message=Downloading&file=3012-586.png "Page 587
IPSec Configuration Example583
[RouterA-ipsec-policy-policy1-10] security acl 101
iSet remote address.
[RouterA-ipsec-policy-policy1-10] tunnel remote 202.38.162.1
jSet local address.
[RouterA-ipsec-policy-policy1-10] tunnel local 202.38.163.1
kQuote IPSec proposal.
[RouterA-ipsec-policy-policy1-10] proposal tran1
lSet SPI.
[RouterA-ipsec-policy-policy1-10] sa outbound esp spi 12345
[RouterA-ipsec-policy-policy1-10] sa inbound esp spi 54321
mSet encryption key.
[RouterA-ipsec-policy-policy1-10] sa...")
IPSec Configuration Example583 [RouterA-ipsec-policy-policy1-10] security acl 101 iSet remote address. [RouterA-ipsec-policy-policy1-10] tunnel remote 202.38.162.1 jSet local address. [RouterA-ipsec-policy-policy1-10] tunnel local 202.38.163.1 kQuote IPSec proposal. [RouterA-ipsec-policy-policy1-10] proposal tran1 lSet SPI. [RouterA-ipsec-policy-policy1-10] sa outbound esp spi 12345 [RouterA-ipsec-policy-policy1-10] sa inbound esp spi 54321 mSet encryption key. [RouterA-ipsec-policy-policy1-10] sa...
Page 588
![Page 588
584CHAPTER 40: CONFIGURING IPSEC
[RouterB-ipsec-card-proposal-tran1] esp-new authentication-algorithm
sha1-hmac-96
fReturn to system view.
[RouterB-ipsec-card-proposal-tran1] quit
gEstablish a security policy with manual configuration mode.
[RouterB] ipsec policy map1 10 manual
hQuote access list.
[RouterB-ipsec-policy-map1-10] security acl 100
iSet remote address.
[RouterB-ipsec-policy-map1-10] tunnel remote 202.38.163.1
jSet local address.
[RouterB-ipsec-policy-map1-10] tunnel local 202.38.162.1...](http://img.usermanuals.tech/thumb/92/102800/w300_index.html@nav=null&now=get&message=Downloading&file=3012-587.png "Page 588
584CHAPTER 40: CONFIGURING IPSEC
[RouterB-ipsec-card-proposal-tran1] esp-new authentication-algorithm
sha1-hmac-96
fReturn to system view.
[RouterB-ipsec-card-proposal-tran1] quit
gEstablish a security policy with manual configuration mode.
[RouterB] ipsec policy map1 10 manual
hQuote access list.
[RouterB-ipsec-policy-map1-10] security acl 100
iSet remote address.
[RouterB-ipsec-policy-map1-10] tunnel remote 202.38.163.1
jSet local address.
[RouterB-ipsec-policy-map1-10] tunnel local 202.38.162.1...")
584CHAPTER 40: CONFIGURING IPSEC [RouterB-ipsec-card-proposal-tran1] esp-new authentication-algorithm sha1-hmac-96 fReturn to system view. [RouterB-ipsec-card-proposal-tran1] quit gEstablish a security policy with manual configuration mode. [RouterB] ipsec policy map1 10 manual hQuote access list. [RouterB-ipsec-policy-map1-10] security acl 100 iSet remote address. [RouterB-ipsec-policy-map1-10] tunnel remote 202.38.163.1 jSet local address. [RouterB-ipsec-policy-map1-10] tunnel local 202.38.162.1...
Page 589
Troubleshooting IPSec 585 Do the following: ■Display the plugging conditions of the crypto card to check whether the crypto card was plugged in correctly. Under normal condition, the “run” indicator of the crypto card will blink normally (one second on, one second off). ■Use the display encrypt-card version command to check the crypto card status. It shall display the card and version condition of the crypto card under normal conditions. If nothing displayed, it means that the host does not detect...
Page 590
586CHAPTER 40: CONFIGURING IPSEC