IPsec for RIPng configuration example

The IPsec configuration procedures for protecting OSPFv3 and IPv6 BGP are similar. For more information about RIPng, OSPFv3, and IPv6 BGP, see Layer 3IP Routing Configuration Guide.

Network requirements

As shown in Figure 86, Switch A, Switch B, and Switch C are connected. They learn IPv6 routing information through RIPng.

Configure IPsec for RIPng so that RIPng packets exchanged between the switches are transmitted through an IPsec tunnel. Configure IPsec to use the security protocol ESP, the encryption algorithm DES, and the authentication algorithm SHA1-HMAC-96.

Figure 86: Network diagram

Configuration considerations

To meet the requirements, perform the following configuration tasks:

Configuration procedure

  • Configure Switch A:

  • # Assign an IPv6 address to each interface. (Details not shown)

    # Create a RIPng process and enable it on VLAN-interface 100.

    <SwitchA> system-view
    [SwitchA] ripng 1
    [SwitchA-ripng-1] quit
    [SwitchA] interface vlan-interface 100
    [SwitchA-Vlan-interface100] ripng 1 enable
    [SwitchA-Vlan-interface100] quit
    

    # Create an IPsec transform set named tran1, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1-HMAC-96.

    [SwitchA] ipsec transform-set tran1
    [SwitchA-ipsec-transform-set-tran1] encapsulation-mode transport
    [SwitchA-ipsec-transform-set-tran1] transform esp
    [SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm des
    [SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
    [SwitchA-ipsec-transform-set-tran1] quit
    

    # Create an IPsec policy named policy001, specify the manual mode for it, and set the SPIs of the inbound and outbound SAs to 123456, and the keys for the inbound and outbound SAs using ESP to abcdefg.

    [SwitchA] ipsec policy policy001 10 manual
    [SwitchA-ipsec-policy-manual-policy001-10] transform-set tran1
    [SwitchA-ipsec-policy-manual-policy001-10] sa spi outbound esp 123456
    [SwitchA-ipsec-policy-manual-policy001-10] sa spi inbound esp 123456
    [SwitchA-ipsec-policy-manual-policy001-10] sa string-key outbound esp abcdefg
    [SwitchA-ipsec-policy-manual-policy001-10] sa string-key inbound esp abcdefg
    [SwitchA-ipsec-policy-manual-policy001-10] quit
    

    # Apply IPsec policy policy001 to the RIPng process.

    [SwitchA] ripng 1
    [SwitchA-ripng-1] enable ipsec-policy policy001
    [SwitchA-ripng-1] quit
    
  • Configure Switch B:

  • # Assign an IPv6 address to each interface. (Details not shown)

    # Create a RIPng process and enable it on VLAN-interface 100 and VLAN-interface 200.

    <SwitchB> system-view
    [SwitchB] ripng 1
    [SwitchB-ripng-1] quit
    [SwitchB] interface vlan-interface 200
    [SwitchB-Vlan-interface200] ripng 1 enable
    [SwitchB-Vlan-interface200] quit
    [SwitchB] interface vlan-interface 100
    [SwitchB-Vlan-interface100] ripng 1 enable
    [SwitchB-Vlan-interface100] quit
    

    # Create an IPsec transform set named tran1, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1-HMAC-96.

    [SwitchB] ipsec transform-set tran1
    [SwitchB-ipsec-transform-set-tran1] encapsulation-mode transport
    [SwitchB-ipsec-transform-set-tran1] transform esp
    [SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm des
    [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
    [SwitchB-ipsec-transform-set-tran1] quit
    

    # Create an IPsec policy named policy001, specify the manual mode for it, and configure the SPIs of the inbound and outbound SAs to 123456, and the keys for the inbound and outbound SAs using ESP to abcdefg.

    [SwitchB] ipsec policy policy001 10 manual
    [SwitchB-ipsec-policy-manual-policy001-10] transform-set tran1
    [SwitchB-ipsec-policy-manual-policy001-10] sa spi outbound esp 123456
    [SwitchB-ipsec-policy-manual-policy001-10] sa spi inbound esp 123456
    [SwitchB-ipsec-policy-manual-policy001-10] sa string-key outbound esp abcdefg
    [SwitchB-ipsec-policy-manual-policy001-10] sa string-key inbound esp abcdefg
    [SwitchB-ipsec-policy-manual-policy001-10] quit
    

    # Apply IPsec policy policy001 to the RIPng process.

    [SwitchB] ripng 1
    [SwitchB-ripng-1] enable ipsec-policy policy001
    [SwitchB-ripng-1] quit
    
  • Configure Switch C:

  • # Assign an IPv6 address to each interface. (Details not shown)

    # Create a RIPng process and enable it on VLAN-interface 200.

    <SwitchC> system-view
    [SwitchC] ripng 1
    [SwitchC-ripng-1] quit
    [SwitchC] interface vlan-interface 200
    [SwitchC-Vlan-interface200] ripng 1 enable
    [SwitchC-Vlan-interface200] quit
    

    # Create an IPsec transform set named tran1, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1-HMAC-96.

    [SwitchC] ipsec transform-set tran1
    [SwitchC-ipsec-transform-set-tran1] encapsulation-mode transport
    [SwitchC-ipsec-transform-set-tran1] transform esp
    [SwitchC-ipsec-transform-set-tran1] esp encryption-algorithm des
    [SwitchC-ipsec-transform-set-tran1] esp authentication-algorithm sha1
    [SwitchC-ipsec-transform-set-tran1] quit
    

    # Create an IPsec policy named policy001, specify the manual mode for it, and configure the SPIs of the inbound and outbound SAs to 123456, and the keys for the inbound and outbound SAs using ESP to abcdefg.

    [SwitchC] ipsec policy policy001 10 manual
    [SwitchC-ipsec-policy-manual-policy001-10] transform-set tran1
    [SwitchC-ipsec-policy-manual-policy001-10] sa spi outbound esp 123456
    [SwitchC-ipsec-policy-manual-policy001-10] sa spi inbound esp 123456
    [SwitchC-ipsec-policy-manual-policy001-10] sa string-key outbound esp abcdefg
    [SwitchC-ipsec-policy-manual-policy001-10] sa string-key inbound esp abcdefg
    [SwitchC-ipsec-policy-manual-policy001-10] quit
    

    # Apply IPsec policy policy001 to the RIPng process.

    [SwitchC] ripng 1
    [SwitchC-ripng-1] enable ipsec-policy policy001
    [SwitchC-ripng-1] quit
    

    Verifying the configuration

    After the configuration, Switch A, Switch B, and Switch C learns IPv6 routing information through RIPng. SAs are set up successfully, and the IPsec tunnel between two peers is up for protecting the RIPng packets.

    Using the display ripng command on Switch A, you will see the running status and configuration information of the specified RIPng process. The output shows that IPsec policy policy001 is applied to this process successfully.

    <SwitchA> display ripng 1
        RIPng process : 1
           Preference : 100
           Checkzero : Enabled
           Default Cost : 0
           Maximum number of balanced paths : 8
           Update time   :   30 sec(s)  Timeout time         :  180 sec(s)
           Suppress time :  120 sec(s)  Garbage-Collect time :  120 sec(s)
           Number of periodic updates sent : 186
           Number of trigger updates sent : 1
           IPsec policy name: policy001, SPI: 123456
    
    

    Using the display ipsec sa command on Switch A, you will see the information about the inbound and outbound SAs.

    <SwitchA> display ipsec sa
    ===============================
    Protocol: RIPng
    ===============================
    
      -----------------------------
      IPsec policy name: "policy001"
      sequence number: 10
      mode: manual
      -----------------------------
        connection id: 1
        encapsulation mode: transport
        perfect forward secrecy:
        tunnel:
        flow:
    
     [inbound ESP SAs]
          spi: 123456 (0x3039)
          transform-set: ESP-ENCRYPT-DES ESP-AUTH-SHA1
          No duration limit for this sa
    
     [outbound ESP SAs]
          spi: 123456 (0x3039)
          transform-set: ESP-ENCRYPT-DES ESP-AUTH-SHA1
          No duration limit for this sa
    

    Similarly, you can view the information on Switch B and Switch C. (Details not shown)