ESR service routers. ESR-Series. Functionality description. Version 1.12.0
82
2.
Create IPsec VPN. For VPN, specify IKE protocol gateway, IPsec tunnel policy, key exchange mode and
connection establishment method. When all parameters are entered, enable tunnel using the
enable
command.
esr(config)# security ipsec vpn ipsec1
esr(config-ipsec-vpn)# mode ike
esr(config-ipsec-vpn)# ike establish-tunnel route
esr(config-ipsec-vpn)# ike gateway ike_gw1
esr(config-ipsec-vpn)# ike ipsec-policy ipsec_pol1
esr(config-ipsec-vpn)# enable
esr(config-ipsec-vpn)# exit
esr(config)# exit
R2 configuration
Configure external network interface and identify its inherence to a security zone:
esr# configure
esr(config)#
interface
gi
1
/
0
/
1
esr(config-
if
)# ip address
120.11
.
5.1
/
24
esr(config-
if
)# security-zone untrusted
esr(config-
if
)# exit
Create VTI tunnel. Traffic will be routed via VTI into IPsec tunnel. Specify IP addresses of WAN border
interfaces as local and remote gateways:
esr(config)# tunnel vti
1
esr(config-vti)# remote address
180.100
.
0.1
esr(config-vti)# local address
120.11
.
5.1
esr(config-vti)# enable
esr(config-vti)# exit
To configure security zones rules, you should create ISAKMP port profile:
esr(config)# object-group service ISAKMP
esr(config-object-group-service)# port-range
500
esr(config-object-group-service)# exit
Create a static route to the remote LAN. For each subnet located beyond the IPsec tunnel, specify a
route via VTI tunnel:
esr(config)# ip route
10.0
.
0.0
/
16
tunnel vti
1
Create IKE protocol profile. Select Diffie-Hellman group 2, AES 128 bit encryption algorithm and MD5
authentication algorithm in the profile. The given security parameters are used for IKE connection
protection:
esr(config)# security ike proposal ike_prop1
esr(config-ike-proposal)# dh-group
2
esr(config-ike-proposal)# authentication algorithm md5
esr(config-ike-proposal)# encryption algorithm aes128
esr(config-ike-proposal)# exit
esr(config)#