Manual IPSEC configuration Problem

kvkrisshna · August 6, 2007, 1:31am

Hi,

I have been trying to configure IPSEC using manual as found in the website but after simulating the same scenario as shown in the website and after below configuration I allways see the ip ipsec policy as invalid.

Request Help please.

tunnel mode example using AH with manual keying
for Router1

[admin@Router1] > ip ipsec manual-sa add name=ah-sa1
... ah-spi=0x101/0x100 ah-key=abcfed
[admin@Router1] > ip ipsec policy add src-address=10.1.0.0/24
... dst-address=10.2.0.0/24 action=encrypt ipsec-protocols=ah
... tunnel=yes sa-src=1.0.0.1 sa-dst=1.0.0.2 manual-sa=ah-sa1
for Router2

[admin@Router2] > ip ipsec manual-sa add name=ah-sa1
... ah-spi=0x100/0x101 ah-key=abcfed
[admin@Router2] > ip ipsec policy add src-address=10.2.0.0/24
... dst-address=10.1.0.0/24 action=encrypt ipsec-protocols=ah
... tunnel=yes sa-src=1.0.0.2 sa-dst=1.0.0.1 manual-sa=ah-sa1

Krishna

lanham · November 9, 2007, 7:54pm

Looking for answer to this as well.

fatonk · November 10, 2007, 8:10am

You miss an encryption key.

Regards.

lanham · November 12, 2007, 3:04pm

Can you elaborate? Thanks.

fatonk · November 13, 2007, 10:59am

You will have to specify authentication key and encryption key.
For example, if you are using MD5 as a authentication alogorithm you will need to specify and spi and authentication key like AH In/Out Key: 476a316c346e314b334b787859313
AH In/Out SPI: 100/100

Than you will need an ecryption key, let say using 3DES encryption
ESP In/Out Auth. Key: 476a316c346e314b334b787859313
ESP In/Out Ecr. Key: 64313554723138556331306e69674a3137346e5978313238
ESP In/Out SPI: 100/100

After this you will have to setup your peer, and also the policies etc etc.

I hope this will help you get your IPSec running.

Regards.

Faton

lanham · November 13, 2007, 5:01pm

Thanks.