Configuration example for an IPsec tunnel in an IPsec tunnel
Double encryption is provided when an IPsec tunnel is configured in another IPsec tunnel.
Figure 24
Tunnel in tunnel deployment of IPsec
NOTE
Tunnel endpoints may be multiple hops away and the base path reachable over any interior gateway protocol such as static routing, RIP, OSPF, BGP and so on.
In the following configuration example, the inner tunnel is running in the user VRF (vrf1) and the outer tunnel is running in the default VRF.
Router1
Router1# configure terminal Router1(config)# ikev2 proposal ikev2_propA Router1(config-ike-proposal-ikev2_propA)# exit Router1(config)# ikev2 auth-proposal ikev2_auth_propA Router1(config-ike-auth-proposal-ikev2_auth_propA)# pre-shared-key ps_key Router1(config-ike-auth-proposal-ikev2_auth_propA)# exit Router1(config)# ikev2 policy ikev2_policyA Router1(config-ike-policy-ikev2_policyA)# proposal ikev2_propA Router1(config-ike-policy-ikev2_policyA)# match address-local 10.100.100.1 255.255.255.255 Router1(config-ike-policy-ikev2_policyA)# exit Router1(config)# ikev2 profile ikev2_profA Router1(config-ike-profile-ikev2_profA)# authentication ikev2_auth_propA Router1(config-ike-profile-ikev2_profA)# local-identifier address 10.1.1.1 Router1(config-ike-profile-ikev2_profA)# remote-identifier address 10.4.4.4 Router1(config-ike-profile-ikev2_profA)# match-identity local address 10.1.1.1 Router1(config-ike-profile-ikev2_profA)# match-identity remote address 10.4.4.4 Router1(config-ike-profile-ikev2_profA)# exit Router1(config)# ipsec proposal ipsec_propA Router1(config-ipsec-proposal-ipsec_propA)# exit Router1(config)# ipsec profile ipsec_profA Router1(config-ipsec-profile-ipsec_profA)# proposal ipsec_propA Router1(config-ipsec-profile-ipsec_profA)# ike-profile ikev2_profA Router1(config-ipsec-profile-ipsec_profA)# exit Router1(config)# interface loopback 1 Router1(config-lbif-1)# ip address 10.100.100.1 255.255.255.255 Router1(config-lbif-1)# ip ospf area 0 Router1(config-lbif-1)# exit Router1(config)# interface tunnel 1 Router1(config-tnif-1)# vrf forwarding vrf1 Router1(config-tnif-1)# tunnel mode ipsec ipv4 Router1(config-tnif-1)# tunnel protection ipsec profile ipsec_profA Router1(config-tnif-1)# tunnel source loopback 1 Router1(config-tnif-1)# tunnel destination 10.100.100.4 Router1(config-tnif-1)# ip address 10.11.1.1 255.255.255.252 Router1(config-tnif-1)# ip ospf area 0 Router1(config-tnif-1)# exit Router1(config)# router ospf vrf vrf1 Router1(config-router-ospf-vrf-vrf1)# area 0 Router1(config-router-ospf-vrf-vrf1)# exit Router1(config)# router ospf Router1(config-router-ospf-vrf-default-vrf)# area 0 Router1(config-router-ospf-vrf-default-vrf)# end
Router2
Router2 may be any device that supports IPsec. The following example shows how to configure Router2 when the device is a Ruckus ICX 7450.
Router2# configure terminal Router2(config)# ikev2 proposal ikev2_propA Router2(config-ike-proposal-ikev2_propA)# exit Router2(config)# ikev2 auth-proposal ikev2_auth_propA Router2(config-ike-auth-proposal-ikev2_auth_propA)# pre-shared-key ps_key Router2(config-ike-auth-proposal-ikev2_auth_propA)# exit Router2(config)# ikev2 policy ikev2_policyA Router2(config-ike-policy-ikev2_policyA)# proposal ikev2_propA Router2(config-ike-policy-ikev2_policyA)# match address-local 10.100.100.2 255.255.255.255 Router2(config-ike-policy-ikev2_policyA)# exit Router2(config)# ikev2 profile ikev2_profA Router2(config-ike-profile-ikev2_profA)# authentication ikev2_auth_propA Router2(config-ike-profile-ikev2_profA)# local-identifier address 10.2.2.2 Router2(config-ike-profile-ikev2_profA)# remote-identifier address 10.3.3.3 Router2(config-ike-profile-ikev2_profA)# match-identity local address 10.2.2.2 Router2(config-ike-profile-ikev2_profA)# match-identity remote address 10.3.3.3 Router3(config-ike-profile-ikev2_profA)# exit Router2(config)# ipsec proposal ipsec_propA Router2(config-ipsec-proposal-ipsec_propA)# exit Router2(config)# ipsec profile ipsec_profA Router2(config-ipsec-profile-ipsec_profA)# proposal ipsec_propA Router2(config-ipsec-profile-ipsec_profA)# ike-profile ikev2_profA Router2(config-ipsec-profile-ipsec_profA)# exit Router2(config)# interface loopback 1 Router2(config-lbif-1)# ip address 10.100.100.2 255.255.255.255 Router2(config-lbif-1)# exit Router2(config)# interface tunnel 1 Router2(config-tnif-1)# tunnel mode ipsec ipv4 Router2(config-tnif-1)# tunnel protection ipsec profile ipsec_profA Router2(config-tnif-1)# tunnel source loopback 1 Router2(config-tnif-1)# tunnel destination 10.100.100.3 Router2(config-tnif-1)# ip address 10.12.1.1 255.255.255.252 Router2(config-tnif-1)# ip ospf area 0 Router2(config-tnif-1)# exit Router2(config)# router ospf Router2(config-router-ospf-vrf-default-vrf)# area 0 Router2(config-router-ospf-vrf-default-vrf)# end
Router3
Router3 may be any device that supports IPsec. The following example shows how to configure Router3 when the device is a Ruckus ICX 7450.
Router3# configure terminal Router3(config)# ikev2 proposal ikev2_propA Router3(config-ike-proposal-ikev2_propA)# exit Router3(config)# ikev2 auth-proposal ikev2_auth_propA Router3(config-ike-auth-proposal-ikev2_auth_propA)# pre-shared-key ps_key Router3(config-ike-auth-proposal-ikev2_auth_propA)# exit Router3(config)# ikev2 policy ikev2_policyA Router3(config-ike-policy-ikev2_policyA)# proposal ikev2_propA Router3(config-ike-policy-ikev2_policyA)# match address-local 10.100.100.3 255.255.255.255 Router3(config-ike-policy-ikev2_policyA)# exit Router3(config)# ikev2 profile ikev2_profA Router3(config-ike-profile-ikev2_profA)# authentication ikev2_auth_propA Router3(config-ike-profile-ikev2_profA)# local-identifier address 10.3.3.3 Router3(config-ike-profile-ikev2_profA)# remote-identifier address 10.2.2.2 Router3(config-ike-profile-ikev2_profA)# match-identity local address 10.3.3.3 Router3(config-ike-profile-ikev2_profA)# match-identity remote address 10.2.2.2 Router3(config-ike-profile-ikev2_profA)# exit Router3(config)# ipsec proposal ipsec_propA Router3(config-ipsec-proposal-ipsec_propA)# exit Router3(config)# ipsec profile ipsec_profA Router3(config-ipsec-profile-ipsec_profA)# proposal ipsec_propA Router3(config-ipsec-profile-ipsec_profA)# ike-profile ikev2_profA Router3(config-ipsec-profile-ipsec_profA)# exit Router3(config)# interface loopback 1 Router3(config-lbif-1)# ip address 10.100.100.3 255.255.255.255 Router3(config-lbif-1)# exit Router3(config)# interface tunnel 1 Router3(config-tnif-1)# tunnel mode ipsec ipv4 Router3(config-tnif-1)# tunnel protection ipsec profile ipsec_profA Router3(config-tnif-1)# tunnel source loopback 1 Router3(config-tnif-1)# tunnel destination 10.100.100.2 Router3(config-tnif-1)# ip address 10.12.1.2 255.255.255.252 Router3(config-tnif-1)# ip ospf area 0 Router3(config-tnif-1)# exit Router3(config)# router ospf Router3(config-router-ospf-vrf-default-vrf)# area 0 Router3(config-router-ospf-vrf-default-vrf)# end
Router4
Router4# configure terminal Router4(config)# ikev2 proposal ikev2_propA Router4(config-ike-proposal-ikev2_propA)# exit Router4(config)# ikev2 auth-proposal ikev2_auth_propA Router4(config-ike-auth-proposal-ikev2_auth_propA)# pre-shared-key ps_key Router4(config-ike-auth-proposal-ikev2_auth_propA)# exit Router4(config)# ikev2 policy ikev2_policyA Router4(config-ike-policy-ikev2_policyA)# proposal ikev2_propA Router4(config-ike-policy-ikev2_policyA)# match address-local 10.100.100.4 255.255.255.255 Router4(config-ike-policy-ikev2_policyA)# exit Router4(config)# ikev2 profile ikev2_profA Router4(config-ike-profile-ikev2_profA)# authentication ikev2_auth_propA Router4(config-ike-profile-ikev2_profA)# local-identifier address 10.4.4.4 Router4(config-ike-profile-ikev2_profA)# remote-identifier address 10.1.1.1 Router4(config-ike-profile-ikev2_profA)# match-identity local address 10.4.4.4 Router4(config-ike-profile-ikev2_profA)# match-identity remote address 10.1.1.1 Router4(config-ike-profile-ikev2_profA)# exit Router4(config)# ipsec proposal ipsec_propA Router4(config-ipsec-proposal-ipsec_propA)# exit Router4(config)# ipsec profile ipsec_profA Router4(config-ipsec-profile-ipsec_profA)# proposal ipsec_propA Router4(config-ipsec-profile-ipsec_profA)# ike-profile ikev2_profA Router4(config-ipsec-profile-ipsec_profA)# exit Router4(config)# interface loopback 1 Router4(config-lbif-1)# ip address 10.100.100.4 255.255.255.255 Router4(config-lbif-1)# ip ospf area 0 Router4(config-lbif-1)# exit Router4(config)# interface tunnel 1 Router4(config-tnif-1)# vrf forwarding vrf1 Router4(config-tnif-1)# tunnel mode ipsec ipv4 Router4(config-tnif-1)# tunnel protection ipsec profile ipsec_profA Router4(config-tnif-1)# tunnel source loopback 1 Router4(config-tnif-1)# tunnel destination 10.100.100.1 Router4(config-tnif-1)# ip address 10.11.1.2 255.255.255.252 Router4(config-tnif-1)# ip ospf area 0 Router4(config-tnif-1)# exit Router4(config)# router ospf vrf vrf1 Router4(config-router-ospf-vrf-vrf1)# area 0 Router4(config-router-ospf-vrf-vrf1)# exit Router4(config)# router ospf Router4(config-router-ospf-vrf-default-vrf)# area 0 Router4(config-router-ospf-vrf-default-vrf)# end