Cisco Cisco Packet Data Gateway (PDG)
Sample L2 Interchassis HA Configuration
▀ SecGW VM Configuration (StarOS)
▄ SecGW Administration Guide, StarOS Release 17
122
context wsg
ip access-list acl1
permit ip <wsg_acl1_permit_IPv4-address_mask> <wsg_acl1_permit_IPv4-
address_mask>
#exit
ipv6 access-list acl1
permit ip <wsg_acl1_permit_IPv6-address_mask> <wsg_acl1_permit_IPv6-
address_mask>
#exit
no ip guarantee framed-route local-switching
ip pool pool1 range <wsg_pool1_IPv4-address/mask> <wsg_pool1_IPv4-address>
public 0
ipv6 pool ipv6-pool1 prefix <wsg_pool1_IPv6-address/mask> public 0
ipsec transform-set tselsa-foo
#exit
ikev2-ikesa transform-set ikesa-foo
#exit
crypto template foo ikev2-dynamic
authentication local pre-shared-key encrypted key
<unique_encrypted_key_per_CPU-VM>
authentication remote pre-shared-key encrypted key
<unique_encrypted_key_per_CPU-VM>
ikev2-ikesa transform-set list ikesa-foo
ikev2-ikesa rekey
payload foo-sa0 match childsa match ipv4
ipsec transform-set list tselsa-foo
rekey keepalive
#exit
identity local id-type ip-addr id <crypto_foo_IPv4-address>
#exit
crypto template foo-1 ikev2-dynamic
authentication local pre-shared-key encrypted key <encrypted_key>
authentication remote pre-shared-key encrypted key <encrypted_key>
ikev2-ikesa transform-set list ikesa-foo
ikev2-ikesa rekey
payload foo-sa0 match childsa match ipv6
ipsec transform-set list tselsa-foo
rekey keepalive
#exit
identity local id-type ip-addr id <crypto_foo1_local_IPv6-address_mask>
#exit
interface clear
ip address <wsg_interface_clear_IPv4-address>
ipv6 address <wsg_interface_clear_IPv6-address> secondary
#exit
interface ike loopback
ip address <wsg_interface_ike_IPv4-address mask> srp-activate
ipv6 address <wsg_interface_ike_IPv6-address/mask> srp-activate
#exit
interface ike-loop loopback
ip address <wsg_interface_ike-loop_IPv4-address_mask> srp-activate
#exit
ip access-list acl1
permit ip <wsg_acl1_permit_IPv4-address_mask> <wsg_acl1_permit_IPv4-
address_mask>
#exit
ipv6 access-list acl1
permit ip <wsg_acl1_permit_IPv6-address_mask> <wsg_acl1_permit_IPv6-
address_mask>
#exit
no ip guarantee framed-route local-switching
ip pool pool1 range <wsg_pool1_IPv4-address/mask> <wsg_pool1_IPv4-address>
public 0
ipv6 pool ipv6-pool1 prefix <wsg_pool1_IPv6-address/mask> public 0
ipsec transform-set tselsa-foo
#exit
ikev2-ikesa transform-set ikesa-foo
#exit
crypto template foo ikev2-dynamic
authentication local pre-shared-key encrypted key
<unique_encrypted_key_per_CPU-VM>
authentication remote pre-shared-key encrypted key
<unique_encrypted_key_per_CPU-VM>
ikev2-ikesa transform-set list ikesa-foo
ikev2-ikesa rekey
payload foo-sa0 match childsa match ipv4
ipsec transform-set list tselsa-foo
rekey keepalive
#exit
identity local id-type ip-addr id <crypto_foo_IPv4-address>
#exit
crypto template foo-1 ikev2-dynamic
authentication local pre-shared-key encrypted key <encrypted_key>
authentication remote pre-shared-key encrypted key <encrypted_key>
ikev2-ikesa transform-set list ikesa-foo
ikev2-ikesa rekey
payload foo-sa0 match childsa match ipv6
ipsec transform-set list tselsa-foo
rekey keepalive
#exit
identity local id-type ip-addr id <crypto_foo1_local_IPv6-address_mask>
#exit
interface clear
ip address <wsg_interface_clear_IPv4-address>
ipv6 address <wsg_interface_clear_IPv6-address> secondary
#exit
interface ike loopback
ip address <wsg_interface_ike_IPv4-address mask> srp-activate
ipv6 address <wsg_interface_ike_IPv6-address/mask> srp-activate
#exit
interface ike-loop loopback
ip address <wsg_interface_ike-loop_IPv4-address_mask> srp-activate
#exit