Aggressive mode with NAT traversal configuration example
This configuration example does not apply when the device operates in FIPS mode.
Network requirements
Device A is behind the NAT device. Configure an IPsec tunnel that uses IKE negotiation between Device
A and Deice B to secure the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
Configure Device A and Device B to use the default IKE proposal for the aggressive IKE negotiation to set
up the IPsec SAs. Configure the two devices to use the pre-shared key authentication method for the IKE
negotiation phase 1.
Figure 64 Network diagram
Configuration procedure
1.
Configure Device A:
# Assign an IP address to each interface. (Details not shown.)
# Configure ACL 3000 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
<DeviceA> system-view
[DeviceA] acl number 3000
[DeviceA-acl-adv-3000] rule 0 permit ip source 10.1.1.0 0.0.0.255 destination
10.1.2.0 0.0.0.255
[DeviceA-acl-adv-3000] quit
# Create an IPsec transform set named transform1.
[DeviceA] ipsec transform-set transform1
# Use the ESP protocol for the IPsec transform set.
[DeviceA-ipsec-transform-set-transform1] protocol esp
# Specify the encryption and authentication algorithms.
[DeviceA-ipsec-transform-set-transform1] esp encryption-algorithm 3des-cbc
[DeviceA-ipsec-transform-set-transform1] esp authentication-algorithm md5
[DeviceA-ipsec-transform-set-transform1] quit
# Create an IKE keychain named keychain1.
[DeviceA] ike keychain keychain1
# Specify plaintext 12345zxcvb!@#$%ZXCVB as the pre-shared key to be used with the remote
peer at 2.2.2.2.
[DeviceA-ike-keychain-keychain1] pre-shared-key address 2.2.2.2 255.255.255.0 key
simple 12345zxcvb!@#$%ZXCVB
236