|
|
|
|
|
| For feedback, use the following: |
| ipd_online_feedback@alcatel-lucent.com |
|
|
|
|
|
|
*A:ALA-49>config# info----------------------------------------------...card 1card-type iom2-20gmda 1mda-type m10-1gb-sfpexitmda 2mda-type isa-ipsecexitexit...----------------------------------------------*A:ALA-49>config#The following output displays an IPSec group configuration in the ISA context. The primary command identifies the card/slot number where the IPSec ISA is the primary module for the IPSec group.*A:ALA-49>config# info----------------------------------------------...isaipsec-group 1 createprimary 1/2no shutdownexitexit...----------------------------------------------*A:ALA-49>config#*A:ALA-49>config# info----------------------------------------------...routerinterface "internet"address 10.10.7.118/24port 1/1/1exitinterface "system"address 10.20.1.118/32exitautonomous-system 123exit...----------------------------------------------*A:ALA-49>config#*A:ALA-49>config# info----------------------------------------------...ipsecike-policy 1 createipsec-lifetime 300isakmp-lifetime 600pfsauth-algorithm md5dpd interval 10 max-retries 5exitipsec-transform 1 createesp-auth-algorithm sha1esp-encryption-algorithm aes128exitexit...----------------------------------------------*A:ALA-49>config#The following output displays an IES and VPRN service with IPSec parameters configured.*A:ALA-49>config# info----------------------------------------------...serviceies 100 customer 1 createinterface "ipsec-public" createaddress 10.10.10.1/24sap ipsec-1.public:1 createexitexitno shutdownexitvprn 200 customer 1 createipsecsecurity-policy 1 createentry 1 createlocal-ip 172.17.118.0/24remote-ip 172.16.91.0/24exitexitexitroute-distinguisher 1:1ipsec-interface "ipsec-private" createsap ipsec-1.private:1 createtunnel "remote-office" createsecurity-policy 1local-gateway-address 10.10.10.118 peer 10.10.7.91 delivery-service 100dynamic-keyingike-policy 1pre-shared-key "humptydumpty"transform 1exitno shutdownexitexitexitinterface "corporate-network" createaddress 172.17.118.118/24sap 1/1/2 createexitexitstatic-route 172.16.91.0/24 ipsec-tunnel "remote-office"no shutdownexitexit...----------------------------------------------*A:ALA-49>config#admin certificate gen-keypair cf3:/key_plain_rsa2048 size 2048 type rsaadmin certificate gen-local-cert-req keypair cf3:/key_plain_rsa2048 subject-dn "C=US,ST=CA,CN=7750" file 7750_req.csradmin certificate import type key input cf3:/key_plain_rsa2048 output key1_rsa2048 format deradmin certificate import type cert input cf3:/7750_cert.pem output 7750cert format pemadmin certificate import type cert input cf3:/CA_1_cert.pem output ca_cert format pemadmin certificate import type crl input cf3:/CA_1_crl.pem output ca_crl format pemconfig>system>security>pki----------------------------------------------ca-profile "CA-1" createshutdowncert-file "ca_cert"crl-file "ca_crl"no shutdownexitconfig>ipsec----------------------------------------------ike-policy 1 createike-version 2auth-method cert-authown-auth-method certexitconfig>service>vprn>if>sap----------------------------------------------ipsec-tunnel "t50" createsecurity-policy 1local-gateway-address 192.168.55.30 peer 192.168.33.100 delivery-service 300dynamic-keyingike-policy 1transform 1certtrust-anchor "CA-1"cert "7750cert"key "key1_rsa2048"exitexitno shutdownexit*A:SR-7/Dut-A# admin certificate import type cert input cf3:/pre-import/R1-0cert.pem output R1-0cert.der format pem*A:SR-7/Dut-A# admin certificate export type cert input R1-0cert.der output cf3:/R1-0cert.pem format pemconfig>redundancy>multi-chassis----------------------------------------------peer 2.2.2.2 createmc-ipsecbfd-enabletunnel-group 1 createpeer-group 2priority 120no shutdownexitexitno shutdownexitThe peer’s tunnel-group id is not necessarily the same as the local tunnel-group id With bfd-enable, the BFD parameters are specified under the interface that the MIMP source address resides on, which must be a loopback interface in the base routing instance. The default source address of MIMP is the system address.The keep-alive-interval and hold-on-neighbor-failure define the MIMP alive parameter, however, BFD could be used for faster chassis failure detection.The SR-OS also provides a tool command to manually trigger the switchover such as:tools perform redundancy multi-chassis mc-ipsec force-switchover tunnel-group 1config>redundancy>multi-chassis>----------------------------------------------peer 2.2.2.2 createsyncipsectunnel-group 1 sync-tag "sync_tag_1" createno shutdownexitThe sync-tag must matched on both chassis for the corresponding tunnel-groups.config>router>policy-options>----------------------------------------------policy-statement "exportOSPF"entry 10fromprotocol ipsecstate ipsec-master-with-peerexitaction acceptmetric set 500exitexitentry 20fromprotocol ipsecstate ipsec-non-masterexitaction acceptmetric set 1000exitexitentry 30fromprotocol ipsecstate ipsec-master-without-peerexitaction acceptmetric set 1000exitexitexitconfig>service>ies>interface "ipsec-pub" createaddress 172.16.100.254/24sap tunnel-1.public:100 createexitstatic-tunnel-redundant-next-hop 1.1.1.1exitconfig>service>vprn>interface "ipsec-priv" tunnel create…static-tunnel-redundant-next-hop 7.7.7.1exitstatic-tunnel-redundant-next-hop — Shunting nexthop for a static tunnel.dynamic-tunnel-redundant-next-hop — Shunting next-hop for a dynamic tunnel.