IPsec for RIPng configuration example
The IPsec configuration procedures for protecting OSPFv3 and IPv6 BGP are similar. For more information about RIPng, OSPFv3, and IPv6 BGP, see Layer 3—IP Routing Configuration Guide.
Network requirements
As shown in Figure 86, Switch A, Switch B, and Switch C are connected. They learn IPv6 routing information through RIPng.
Configure IPsec for RIPng so that RIPng packets exchanged between the switches are transmitted through an IPsec tunnel. Configure IPsec to use the security protocol ESP, the encryption algorithm DES, and the authentication algorithm SHA1-HMAC-96.
Figure 86: Network diagram
Configuration considerations
To meet the requirements, perform the following configuration tasks:
Configure basic RIPng parameters.
Configure a manual IPsec policy.
Apply the IPsec policy to a RIPng process to protect RIPng packets in this process or to an interface to protect RIPng packets traveling through the interface.
Configuration procedure
Configure Switch A:
# Assign an IPv6 address to each interface. (Details not shown)
# Create a RIPng process and enable it on VLAN-interface 100.
<SwitchA> system-view [SwitchA] ripng 1 [SwitchA-ripng-1] quit [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ripng 1 enable [SwitchA-Vlan-interface100] quit
# Create an IPsec transform set named tran1, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1-HMAC-96.
[SwitchA] ipsec transform-set tran1 [SwitchA-ipsec-transform-set-tran1] encapsulation-mode transport [SwitchA-ipsec-transform-set-tran1] transform esp [SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm des [SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-transform-set-tran1] quit
# Create an IPsec policy named policy001, specify the manual mode for it, and set the SPIs of the inbound and outbound SAs to 123456, and the keys for the inbound and outbound SAs using ESP to abcdefg.
[SwitchA] ipsec policy policy001 10 manual [SwitchA-ipsec-policy-manual-policy001-10] transform-set tran1 [SwitchA-ipsec-policy-manual-policy001-10] sa spi outbound esp 123456 [SwitchA-ipsec-policy-manual-policy001-10] sa spi inbound esp 123456 [SwitchA-ipsec-policy-manual-policy001-10] sa string-key outbound esp abcdefg [SwitchA-ipsec-policy-manual-policy001-10] sa string-key inbound esp abcdefg [SwitchA-ipsec-policy-manual-policy001-10] quit
# Apply IPsec policy policy001 to the RIPng process.
[SwitchA] ripng 1 [SwitchA-ripng-1] enable ipsec-policy policy001 [SwitchA-ripng-1] quit
Configure Switch B:
# Assign an IPv6 address to each interface. (Details not shown)
# Create a RIPng process and enable it on VLAN-interface 100 and VLAN-interface 200.
<SwitchB> system-view [SwitchB] ripng 1 [SwitchB-ripng-1] quit [SwitchB] interface vlan-interface 200 [SwitchB-Vlan-interface200] ripng 1 enable [SwitchB-Vlan-interface200] quit [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ripng 1 enable [SwitchB-Vlan-interface100] quit
# Create an IPsec transform set named tran1, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1-HMAC-96.
[SwitchB] ipsec transform-set tran1 [SwitchB-ipsec-transform-set-tran1] encapsulation-mode transport [SwitchB-ipsec-transform-set-tran1] transform esp [SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm des [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchB-ipsec-transform-set-tran1] quit
# Create an IPsec policy named policy001, specify the manual mode for it, and configure the SPIs of the inbound and outbound SAs to 123456, and the keys for the inbound and outbound SAs using ESP to abcdefg.
[SwitchB] ipsec policy policy001 10 manual [SwitchB-ipsec-policy-manual-policy001-10] transform-set tran1 [SwitchB-ipsec-policy-manual-policy001-10] sa spi outbound esp 123456 [SwitchB-ipsec-policy-manual-policy001-10] sa spi inbound esp 123456 [SwitchB-ipsec-policy-manual-policy001-10] sa string-key outbound esp abcdefg [SwitchB-ipsec-policy-manual-policy001-10] sa string-key inbound esp abcdefg [SwitchB-ipsec-policy-manual-policy001-10] quit
# Apply IPsec policy policy001 to the RIPng process.
[SwitchB] ripng 1 [SwitchB-ripng-1] enable ipsec-policy policy001 [SwitchB-ripng-1] quit
Configure Switch C:
# Assign an IPv6 address to each interface. (Details not shown)
# Create a RIPng process and enable it on VLAN-interface 200.
<SwitchC> system-view [SwitchC] ripng 1 [SwitchC-ripng-1] quit [SwitchC] interface vlan-interface 200 [SwitchC-Vlan-interface200] ripng 1 enable [SwitchC-Vlan-interface200] quit
# Create an IPsec transform set named tran1, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1-HMAC-96.
[SwitchC] ipsec transform-set tran1 [SwitchC-ipsec-transform-set-tran1] encapsulation-mode transport [SwitchC-ipsec-transform-set-tran1] transform esp [SwitchC-ipsec-transform-set-tran1] esp encryption-algorithm des [SwitchC-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchC-ipsec-transform-set-tran1] quit
# Create an IPsec policy named policy001, specify the manual mode for it, and configure the SPIs of the inbound and outbound SAs to 123456, and the keys for the inbound and outbound SAs using ESP to abcdefg.
[SwitchC] ipsec policy policy001 10 manual [SwitchC-ipsec-policy-manual-policy001-10] transform-set tran1 [SwitchC-ipsec-policy-manual-policy001-10] sa spi outbound esp 123456 [SwitchC-ipsec-policy-manual-policy001-10] sa spi inbound esp 123456 [SwitchC-ipsec-policy-manual-policy001-10] sa string-key outbound esp abcdefg [SwitchC-ipsec-policy-manual-policy001-10] sa string-key inbound esp abcdefg [SwitchC-ipsec-policy-manual-policy001-10] quit
# Apply IPsec policy policy001 to the RIPng process.
[SwitchC] ripng 1 [SwitchC-ripng-1] enable ipsec-policy policy001 [SwitchC-ripng-1] quit
Verifying the configuration
After the configuration, Switch A, Switch B, and Switch C learns IPv6 routing information through RIPng. SAs are set up successfully, and the IPsec tunnel between two peers is up for protecting the RIPng packets.
Using the display ripng command on Switch A, you will see the running status and configuration information of the specified RIPng process. The output shows that IPsec policy policy001 is applied to this process successfully.
<SwitchA> display ripng 1 RIPng process : 1 Preference : 100 Checkzero : Enabled Default Cost : 0 Maximum number of balanced paths : 8 Update time : 30 sec(s) Timeout time : 180 sec(s) Suppress time : 120 sec(s) Garbage-Collect time : 120 sec(s) Number of periodic updates sent : 186 Number of trigger updates sent : 1 IPsec policy name: policy001, SPI: 123456
Using the display ipsec sa command on Switch A, you will see the information about the inbound and outbound SAs.
<SwitchA> display ipsec sa =============================== Protocol: RIPng =============================== ----------------------------- IPsec policy name: "policy001" sequence number: 10 mode: manual ----------------------------- connection id: 1 encapsulation mode: transport perfect forward secrecy: tunnel: flow: [inbound ESP SAs] spi: 123456 (0x3039) transform-set: ESP-ENCRYPT-DES ESP-AUTH-SHA1 No duration limit for this sa [outbound ESP SAs] spi: 123456 (0x3039) transform-set: ESP-ENCRYPT-DES ESP-AUTH-SHA1 No duration limit for this sa
Similarly, you can view the information on Switch B and Switch C. (Details not shown)