Router1# show crypto ipsec sa all detail, Crypto policy name: inrouter2, Protocol is any – Foundry Networks AR3202-CL User Manual

Security Features

June 2004

© 2004 Foundry Networks, Inc.

15 - 19

Example 3: Joining Two Networks with an IPSec Tunnel using Multiple IPSec
Proposals

The following example demonstrates how a security gateway can use multiple IPSec (phase2) proposals to form
an IP security tunnel to join two private networks: 10.0.1.0/24 and 10.0.2.0/24.

IKE Proposal offered by both Router1 and Router2:

•

Phase 1: 3DES and SHA1

IPSec Proposals offered by Router1:

•

Phase 2: Proposal1: IPSec ESP with DES and HMAC-SHA1

•

Phase 2: Proposal2: IPSec ESP with AES (256-bit) and HMAC-SHA1

IPSec Proposal offered by Router2:

•

Phase 2: Proposal1: IPSec ESP with AES (256-bit) and HMAC-SHA1

In this example, the Router1 router offers two IPSec proposals to the peer while the Router2 router offers only one
proposal. As a result of quick mode negotiation, the two routers are expected to converge on a mutually
acceptable proposal, which is the proposal “IPSec ESP with AES (256-bit) and HMAC-SHA1” in this example.

Router1# show crypto ipsec sa all detail

Crypto Policy name: INRouter2

Protocol is Any

Local ident(ip/mask/port): (10.0.2.0/255.255.255.0/any)

Remote ident(ip/mask/port): (10.0.1.0/255.255.255.0/any)

Peer Address is 172.16.0.1, PFS Group is disabled

inbound ESP sas

Spi: 0xd603a513

Transform: aes256 (key length=256 bits), sha1

In use settings = {tunnel}

Bytes Processed 256

Hard lifetime in seconds 3560, Hard lifetime in kilobytes

413696

Soft lifetime in seconds 0, Soft lifetime in kilobytes is

unlimited

Crypto Policy name: Router2

Protocol is Any

Local ident(ip/mask/port): (10.0.1.0/255.255.255.0/any)

Remote ident(ip/mask/port): (10.0.2.0/255.255.255.0/any)

Peer Address is 172.16.0.2, PFS Group is disabled

outbound ESP sas

Spi: 0xb013de87

Transform: aes256 (key length=256 bits), sha1