ESR-Series. User manual
191
To configure security zones rules, you should create ISAKMP port profile:
esr(config)# object-group service ISAKMP
esr(config-addr-set)# port-range
500
esr(config-addr-set)# exit
Create IKE protocol profile. Select Diffie-Hellman group 2, AES 128 bit encryption algorithm and MD5
authentication algorithm in the profile. The given security parameters are used for IKE connection
protection:
esr(config)# security ike proposal ike_prop1
esr(config-ike-proposal)# dh-group
2
esr(config-ike-proposal)# authentication algorithm md5
esr(config-ike-proposal)# encryption algorithm aes128
esr(config-ike-proposal)# exit
esr(config)#
Create IKE protocol policy. For the policy, specify the list of IKE protocol profiles that may be used for
node and authentication key negotiation:
esr(config)# security ike policy ike_pol1
esr(config-ike-policy)# pre-shared-key hexadecimal 123FFF
esr(config-ike-policy)# proposal ike_prop1
esr(config-ike-policy)# exit
Create IKE protocol gateway. For this profile, specify VTI tunnel, policy, protocol version and mode of
traffic redirection into the tunnel.
esr(config)# security ike gateway ike_gw1
esr(config-ike-gw)# ike-policy ike_pol1
esr(config-ike-gw)# remote address
198.51
.
100.1
esr(config-ike-gw)# remote network
10.0
.
0.0
/
16
esr(config-ike-gw)# local address
203.0
.
113.1
esr(config-ike-gw)# local network
192.0
.
2.0
/
24
esr(config-ike-gw)# mode policy-based
esr(config-ike-gw)# exit
Create security parameters profile for IPsec tunnel. For the profile, select Diffie-Hellman group 2, AES
128 bit encryption algorithm and MD5 authentication algorithm. Use the following parameters to secure
IPsec tunnel:
esr(config)# security ipsec proposal ipsec_prop1
esr(config-ipsec-proposal)# authentication algorithm md5
esr(config-ipsec-proposal)# encryption algorithm aes128
esr(config-ipsec-proposal)# exit
Create a policy for IPsec tunnel. For the policy, specify the list of IPsec tunnel profiles that may be used
for node negotiation:
esr(config)# security ipsec policy ipsec_pol1
esr(config-ipsec-policy)# proposal ipsec_prop1
esr(config-ipsec-policy)# exit
