7/24/2019 Khai Bao Ipsec Tren SBC

1/5

7/24/2019 Khai Bao Ipsec Tren SBC

2/5

This packet-in-a-packet can actually be nested yet more levels: Host A and Host B can establish

their own authenticated connection (via AH), and have this routed over the V!" This would put

an AH inner packet inside an enclosin# $%&Auth packet"

IP address for IPSEC on SBC

Port Interface name IP address Next hope

PK0 IPIF4 169.255.187.61 ?

PK1 IPIF5 169.255.187.62 ?

Example for interconnection with SAFARI

oca! "IP "#$n

%ddress

oca! IP Interface

Peer IP Interface

Peer "IP "#$n

%ddress

169.255.187.25 169.255.187.61 196.201.217.1&7 196.201.217.146

oca! "IP 'ed#a%ddress

Peer "IP 'ed#a%ddress

169.255.187.26

169.255.187.27

196.201.217.142

7/24/2019 Khai Bao Ipsec Tren SBC

3/5

1. Congre ip interface grop for IPSEC

P(rport) create a ne* #p #nterface $ro(p for +PN con,$(rat#on on "-. '(st choose

#psec parameter to ena/!e.

!. Congre IP interface

P(rport) create 2 #p #nterfaces on ne* #p #nterface $ro(p N"3IP"

". Congre ipsec#peer

7/24/2019 Khai Bao Ipsec Tren SBC

4/5

P(rport) con,$(re #psec3peer for +PN #nterconnect#on.

Parameter)

3 Ip %ddress) remote t(nne! IP address3 Ip %ddress !oca! #dent#t) !oca! s#p #p address3 Protoco!) "pec#,es the e mana$ement protoco! (sed to exchan$e *#th th#s

peer. ikev1 Internet Ke +ers#on 1.

ont#n(te con,$(re for Ip %ddress remote #dent#t) remote s#p #p address

$. Congre ipsec#spd

P(rport) con,$(re IP"ec "P: "ec(r#t Po!#c :ata/ase for the "-. he "P:

esta/!#shes the phase 2 cr#ter#a for the ne$ot#at#on /et*een the "- and the IK

peer.

7/24/2019 Khai Bao Ipsec Tren SBC

5/5

o(te t(nne! for s#p s#$n address and med#a address.

protoco! n(m/er 6 represents P; protoco! n(m/er 17 represents :P. a!ote! and peer.

For "IP con,$(rat#on the same doc(ment /efore