Table of contents
Features
Under normal circumstances, ipsec tunnels are established through negotiation after being triggered by data flows. After configuring the automatic tunnel connection function (autoup), the tunnel is automatically triggered internally by the ipsec module. As long as the IPSEC configuration is completed, the device automatically initiates the tunnel regardless of whether there is a data flow trigger. IPSEC negotiation.
1. Networking requirements
The business data exchanged between the branch and the headquarters is encrypted through dynamic IPSEC VPN. Since the headquarters needs to access the application server in Branch 1 from time to time, the IPSEC VPN between Branch 1 and the headquarters must remain permanently online regardless of whether Branch 1 needs to access the headquarters.
2. Network topology
3. Configuration points
1. Configure basic IPSEC functions
2. Configure the IPSEC tunnel automatic connection function of branch 1
4. Configuration steps
1. Configure basic IPSEC functions
According to the on-site environment and customer needs, select the appropriate IPSEC deployment solution. For detailed configuration, refer to the IPSEC " Basic Configuration " chapter (Typical Configuration--->Security--->IPSEC--->Basic Configuration)
2. Configure the IPSEC tunnel automatic connection function of branch 1
R1(config)#crypto map mymap 10 ipsec-isakmp
R1(config-crypto-map)#set autoup //Configure IPSEC tunnel automatic connection function
Note: It is not effective to configure set autoup under dynamic map
5. Configuration verification
After configuring the automatic connection function of the IPSEC tunnel on the branch 1 router, the IPSEC tunnel will be automatically negotiated and established regardless of whether branch 1 is triggered by data access to the headquarters.
Ruijie#show crypto isakmp sa //View isakmp sa negotiation status
destination source state conn-id lifetime(second)
10.0.0.2 10.0.0.1 IKE_IDLE 0 84129 //isakmp negotiation successful, status is IKE_IDLE
Ruijie#show crypto ipsec sa //View ipsec sa negotiation status
Interface: GigabitEthernet 0/0
Crypto map tag:mymap //The name of the encryption map applied under the interface
local ipv4 addr 10.0.0.1 //IP address used for isakmp/ipsec negotiation
media 1500 people
==================================
sub_map type:static, seqno:5, id=0
local ident (addr/mask/prot/port): (192.168.0.0/0.0.0.255/0/0)) //Source address of the stream of interest
remote ident (addr/mask/prot/port): (192.168.1.0/0.0.0.255/0/0)) //Destination address of the flow of interest
PERMIT
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4 //The number of successfully encapsulated, encrypted, and digested messages
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4 //Successful decapsulation, decryption, and verification of the number of messages. When there is data for communication through IPSEC encryption, repeatedly execute the show crypto ipsec sa command to see the above. The number of statistics will continue to increase.
#send errors 0, #recv errors 0 //The number of error messages sent and received. Under normal circumstances, this statistics does not increase.
Inbound esp sas:
spi:0x2ecca8e (49072782) //spi of ipsec sa inbound direction
transform: esp-des esp-md5-hmac //ipsec encryption transformation set is esp-des esp-md5-hmac
in use settings={Tunnel Encaps,} //Adopt tunnel mode
crypto map mymap 5
sa timing: remaining key lifetime (k/sec): (4606998/1324) //There is still time left before the life cycle of the security association expires: 4606998 kilobytes/1324 seconds
IV size: 8 bytes //IV vector length is 8
Replay detection support:Y //Anti-replay processing
Outbound esp sas:
spi:0x5730dd4b (1462820171) //ipsec sa outbound spi. Only when you see inbound spi and outbound spi does it mean that ipsec sa has been successfully negotiated.
transform: esp-des esp-md5-hmac
in use settings={Tunnel Encaps,}
crypto map mymap 5
sa timing: remaining key lifetime (k/sec): (4606998/1324)
IV size: 8 bytes
Replay detection support:Y