1910 CHAPTER 101: IKE CONFIGURATION[RouterA-ike-proposal-10] sa duration 50002 Configure Router B# Configure an IKE peer. system-view[RouterB] ike peer peer[RouterB-ike-peer-peer] pre-shared-key abcde[RouterB-ike-peer-peer] remote-address 1.1.1.1With the above configuration, Router A and Router B should be able to performIKE negotiation. Router A is configured with proposal 10 which uses theauthentication algorithm of MD5, but Router B has only a default IKE proposalwhich uses the authentication algorithm of SHA. Therefore, Router B has noproposal matching proposal 10 of Router A, and the two routers have only onepair of matching proposals, namely the default IKE proposals. In addition, the tworouters are not required to have the same ISAKMP SA lifetime, they will negotiateone.Example for IKEAggressive Mode andNAT TraversalNetwork requirements■ The LAN of the branch office is connected to the Intranet in the headquartersthrough a leased line. The Serial 2/0 interface of Router A has a fixed public IPaddress and Router B obtains an IP address dynamically.■ As the IP address obtained by the branch is a private one and the IP address ofthe Serial 2/0 interface on Router A is a public one, you must enable NATtraversal on Router B.■ For higher security, IKE is used to create an IPSec tunnel.n For the purpose of highlighting the configurations of IKE aggressive mode andNAT traversal, routers in this example are interconnected through their serialinterfaces across the Internet and one end is configured to obtain an IP addressdynamically. You can refer to this example if you access the Internet using thedial-up or broadband service.Network diagramFigure 556 Network diagram for configuring IKE aggressive mode and NAT traversalConfiguration procedure1 Configure Router A# Specify a name for the local security gateway. system-view[RouterA] ike local-name routera# Configure an ACL.InternetBranch HeadquartersLeased lineS2/0ppp- negotiateNATS2/0100.0.0.1/16Router B Router A
