IKE configuration example

Network requirements

As shown in Figure 78, configure an IPsec tunnel that uses IKE negotiation between gateways Switch A and Switch B to secure the communication between the two switches.

For Switch A, configure an IKE proposal that uses the sequence number 10 and the authentication algorithm SHA1. Configure Switch B to use the default IKE proposal.

Configure the two routers to use the pre-shared key authentication method.

Figure 78: Network diagram

Configuration procedure

  • Make sure Switch A and Switch B can reach each other.

  • Configure Switch A:

  • # Assign an IP address to VLAN-interface 1.

    <SwitchA> system-view
    [SwitchA] interface vlan-interface 1
    [SwitchA-vlan-interface1] ip address 1.1.1.1 255.255.255.0
    [SwitchA-Vlan-interface1] quit
    

    # Configure ACL 3101 to identify traffic from Switch A to Switch B..

    [SwitchA] acl number 3101
    [SwitchA-acl-adv-3101] rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0
    [SwitchA-acl-adv-3101] rule 1 permit ip source 2.2.2.2 0 destination 1.1.1.1 0
    [SwitchA-acl-adv-3101] quit
    

    # Create IPsec proposal tran1.

    [SwitchA] ipsec proposal tran1
    

    # Set the packet encapsulation mode to tunnel.

    [SwitchA-ipsec-proposal-tran1] encapsulation-mode tunnel
    

    # Use security protocol ESP.

    [Switch-ipsec-proposal-tran1] transform esp
    

    # Specify encryption and authentication algorithms.

    [SwitchA-ipsec-proposal-tran1] esp encryption-algorithm aes 128
    [SwitchA-ipsec-proposal-tran1] esp authentication-algorithm sha1
    [SwitchA-ipsec-proposal-tran1] quit
    

    # Create an IKE proposal numbered 10.

    [SwitchA] ike proposal 10
    

    # Set the authentication algorithm to SHA1.

    [SwitchA-ike-proposal-10] authentication-algorithm sha
    

    # Configure the authentication method as pre-shared key.

    [SwitchA-ike-proposal-10] authentication-method pre-share
    

    # Set the ISAKMP SA lifetime to 5000 seconds.

    [SwitchA-ike-proposal-10] sa duration 5000
    [SwitchA-ike-proposal-10] quit
    

    # Create IKE peer peer.

    [SwitchA] ike peer peer
    

    # Configure the IKE peer to reference IKE proposal 10.

    [SwitchA-ike-peer-peer]proposal 10
    

    # Set the pre-shared key.

    [SwitchA-ike-peer-peer] pre-shared-key Ab12<><>
    

    # Specify the IP address of the peer security gateway.

    [SwitchA-ike-peer-peer] remote-address 2.2.2.2
    [SwitchA-ike-peer-peer] quit
    

    # Create an IPsec policy that uses IKE negotiation.

    [SwitchA] ipsec policy map1 10 isakmp
    

    # Reference IPsec proposal tran1.

    [SwitchA-ipsec-policy-isakmp-map1-10] proposal tran1
    

    # Reference ACL 3101 to identify the protected traffic.

    [SwitchA-ipsec-policy-isakmp-map1-10] security acl 3101
    

    # Reference IKE peer peer.

    [SwitchA-ipsec-policy-isakmp-map1-10] ike-peer peer
    [SwitchA-ipsec-policy-isakmp-map1-10] quit
    

    # Apply the IPsec policy to VLAN-interface 1.

    [SwitchA] interface vlan-interface 1
    [SwitchA-Vlan-interface1] ipsec policy map1
    
  • Configure Switch B:

  • # Assign an IP address to VLAN-interface 1.

    <SwitchB> system-view
    [SwitchB] interface Vlan-interface1
    [SwitchB-Vlan-interface1] ip address 2.2.2.2 255.255.255.0
    [SwitchB-Vlan-interface1] quit
    

    # Configure ACL 3101 to identify traffic from Switch B to Switch A.

    [SwitchB] acl number 3101
    [SwitchB-acl-adv-3101] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.0 0
    [SwitchB-acl-adv-3101] rule 1 permit ip source 1.1.1.1 0 destination 2.2.2.2 0
    [SwitchB-acl-adv-3101] quit
    

    # Create IPsec proposal tran1.

    [SwitchB] ipsec proposal tran1
    

    # Set the packet encapsulation mode to tunnel.

    [SwitchB-ipsec-proposal-tran1] encapsulation-mode tunnel
    

    # Use security protocol ESP.

    [SwitchB-ipsec-proposal-tran1] transform esp
    

    # Specify encryption and authentication algorithms.

    [SwitchB-ipsec-proposal-tran1] esp encryption-algorithm aes 128
    [SwitchB-ipsec-proposal-tran1] esp authentication-algorithm sha1
    [SwitchB-ipsec-proposal-tran1] quit
    

    # Create an IKE proposal numbered 10.

    [SwitchB] ike proposal 10
    

    # Set the authentication algorithm to SHA1.

    [SwitchB-ike-proposal-10] authentication-algorithm sha
    

    # Configure the authentication method as pre-shared key.

    [SwitchB-ike-proposal-10] authentication-method pre-share
    

    # Set the ISAKMP SA lifetime to 5000 seconds.

    [SwitchB-ike-proposal-10] sa duration 5000
    [SwitchB-ike-proposal-10] quit
    

    # Create IKE peer peer.

    [SwitchB] ike peer peer
    

    # Configure the IKE peer to reference IKE proposal 10.

    [SwitchB-ike-peer-peer]proposal 10
    

    # Set the pre-shared key.

    [SwitchB-ike-peer-peer] pre-shared-key Ab12<><>
    

    # Specify the IP address of the peer security gateway.

    [SwitchB-ike-peer-peer] remote-address 1.1.1.1
    [SwitchB-ike-peer-peer] quit
    

    # Create an IPsec policy that uses IKE negotiation.

    [SwitchB] ipsec policy use1 10 isakmp
    

    # Reference IPsec proposal tran1.

    [SwitchB-ipsec-policy-isakmp-use1-10] proposal tran1
    

    # Reference ACL 3101 to identify the protected traffic.

    [SwitchB-ipsec-policy-isakmp-use1-10] security acl 3101
    

    # Reference IKE peer peer.

    [SwitchB-ipsec-policy-isakmp-use1-10] ike-peer peer
    [SwitchB-ipsec-policy-isakmp-use1-10] quit
    

    # Apply the IPsec policy to VLAN-interface 1.

    [SwitchB-Vlan-interface1] ipsec policy use1
    

    Verifying the configuration

    After the above configuration, send traffic from Switch B to Switch A. Switch A starts IKE negotiation with Switch B when receiving the first packet. IKE proposal matching starts with the one having the highest priority. During the matching process, lifetime is not involved but it is determined by the IKE negotiation parties.