299
max received sequence-number: 4
anti-replay check enable: Y
anti-replay window size: 32
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 89389742 (0x553faae)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3590
max received sequence-number: 5
udp encapsulation used for nat traversal: N
Aggressive mode IKE with NAT traversal configuration example
Network requirements
See
. Deploy IPsec tunnels between Router A and Router B to protect traffic between the
branch and its headquarters. Use IKE to establish the IPsec tunnels.
In this network, the branch and the headquarters connect to an ATM network through Router B and
Router A.
Router B connects to the public network through an ADSL line and acts as the PPPoE client. The interface
connecting to the public network uses a private address dynamically assigned by the ISP.
Router A uses a fixed public IP address for the interface connected to the public network.
Figure 103
Network diagram for aggressive mode IKE with NAT traversal
The IKE negotiation mode must be aggressive because Router B uses a dynamic IP address.
You must configure NAT traversal at both ends of the IPsec tunnel because one end of the tunnel uses a
public IP address but the other end uses a private IP address.
Configuration procedure
1.
Configure Router A.
# Specify a name for the local security gateway.
<RouterA> system-view
[RouterA] ike local-name routera