Tunnel-Ipsec Naming Convention - Cisco 6000 Series Configuration Manual

Interface and hardware component configuration guide for cisconcs 6000 series routers, ios xr release 6.4.x

Hide thumbs Also See for 6000 Series:

Configuration manual (68 pages)

Site planning manual (54 pages)

Hardware installation manual (30 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

page of 158

/ 158
Contents
Table of Contents
Bookmarks

Table of Contents

Configuring Tunnel Interfaces

When IPSec is used, there is no need to use Secure Shell (SSH) or Secure Socket Layer (SSL). Their use

causes the same data to be encrypted or decrypted twice, which creates unnecessary overhead. The IPSec

daemon is running on both the RPs and the DRPs. IPSec is an optional feature on the router. IPSec is a good

choice for a user who has multiple applications that require secure transport. On the client side, customers

can use "Cisco VPN 3000 Client" or any other third-party IPSec client software to build IPSec VPN.

Note

IPSec tunnel exists in the control plane, so you do not have to bring up or bring down the tunnel. Entry into

the IPSec tunnel is only for locally sourced traffic from the RP or DRP, and is dictated by the access control

lists (ACL) configured as a part of the profile that is applied to the Tunnel-IPSec.

Tunnel-IPSec Naming Convention

A profile is entered from interface configuration submode for interface tunnel-ipsec. For example:

interface tunnel-ipsec 30

Crypto Profile Sets

Crypto profile sets must be configured and applied to tunnel interfaces (or to the crypto IPSec transport). For

IPSec to succeed between two IPSec peers, the crypto profile entries of both peers must contain compatible

configuration statements.

Two peers that try to establish a security association must each have at least one crypto profile entry that is

compatible with one of the other peer's crypto profile entries. For two crypto profile entries to be compatible,

they must at least meet the following criteria:

• They must contain compatible crypto access lists. In the case where the responding peer is using dynamic

• They must each identify the other peer (unless the responding peer is using dynamic crypto profiles).

• They must have at least one transform set in common.

Note

Crypto profiles cannot be shared; that is, the same profile cannot be attached to multiple interfaces.

How to Configure Tunnel Interfaces

This section contains the following procedures:

Configuring Tunnel-IPSec Interfaces

This task explains how to configure Tunnel-IPSec interfaces.

Interface and Hardware Component Configuration Guide for Cisco NCS 6000 Series Routers, IOS XR Release 6.4.x

profile <profile name>

crypto profiles, the entries in the local crypto access list must be "permitted" by the peer's crypto access

list.

Tunnel-IPSec Naming Convention

125

Table of Contents

Chapters

Table of Contents

Tunnel-Ipsec Naming Convention - Cisco 6000 Series Configuration Manual

Tunnel-IPSec Naming Convention

Chapters

Related Manuals for Cisco 6000 Series

Related Content for Cisco 6000 Series

Table of Contents