Panasonic 8000 User Manual
Page 84
Attention! The text in this document has been recognized automatically. To view the original document, you can use the "Original mode".
Nortel Secure Router 8000 Series
Troubleshooting - VAS__________
2 IPSec and IKE troubleshooting
# Configure the host local ID in aggressive IKE negotiation mode.
<RouterA > system-view
[RouterA] ike local-name routera
2.
Configure IKE proposals.
By default, use the default IKE proposals.
3.
Configure the IKE peer.
# Configure the name of the IKE peer to routerb. Configure aggressive negotiation mode
and set “name” as the local ID authentication type. Preset the shared key to nortel.
Configure an IP address 202.38.162.1 for the peer and enable NAT on it.
Note the following:
•
The shared keys configured on the connected peer must be consistent.
•
“Name” is used as the ID authentication type. The remote name must be the same as the
local IKE ID configured on the peer through the ike local-name command.
4.
6.
7.
[RouterA] ike peer routerb
[RouterA-ike-peer-routerb]
[RouterA-ike-peer-routerb]
[RouterA-ike-peer-routerb]
[RouterA-ike-peer-routerb]
[RouterA-ike-peer-routerb]
[RouterA-ike-peer-routerb]
Configure an ACL.
exchange-mode aggress ive
local-id-type name
pre-shared-key nortel
remote-name routerb
remote-address 202.38.162.1
nat traversal
# Configure an ACL, specifying the data flow from 10.1.1.x to 10.1.2.x..
[RouterA] acl number 3101
[RouterA-acl-adv-3101]
rule
permit
ip
source
10.1.1.0
0.0.0.255
destination
10.1.2.0
0.0.0.255
5. Configure an IPSec proposal.
# Configure the name of IPSec proposal to tran1. The proposal uses the tunnel mode,
SHA-1 authentication algorithm, and DES encryption algorithm.
[RouterA] ipsec proposal tran1
[RouterA-ipsec-proposal-t^ran1_
[RouterA-ipsec-proposal-t^ran1_
[RouterA-ipsec-proposal-t^ran1_
[RouterA-ipsec-proposal-t^ran1_
Configure an IPSec policy.
encapsulation-mode tunnel
transform esp
esp
authentication-algorithm
sha1
esp encryption-algorithm des
# Configure the name of IPSec policy to map1, the sequence number to 10, and the
negotiation mode to ISAKMP. Apply the configured IPSec proposal tran1 to the policy,
and configure the IKE peer to routerb.
[RouterA] ipsec policy map1 10 isakmp
[RouterA-ipsec-policy-isakmp-map1-10] security acl 3101
[RouterA-ipsec-policy-isakmp-map1-10] proposal tran1
[RouterA-ipsec-policy-isakmp-map1-10] ike-peer routerb
Apply the IPSec policy.
# Apply the IPSec policy map1 on the serial interface.
[RouterA] interface Ethernet 1/2/0
Issue 01.01 (30 March 2009)
Nortel Networks Inc.
2-37