IPSec Peering

to peer with Backbone ehf over IPSec, we recommend the following configuration:

1. Agree on a common preshared key for the IPSec peer and enter it as the peer's crypto key

    crypto isakmp key Ca7seScmh2HFDWld address ipv6 2A01:528:1:2:3:9::2/128 no-xauth

2. Define encryption methods:

    crypto ipsec transform-set AES128 esp-aes esp-sha-hmac 
    crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac 

3. Define an encryption profile to use:

    crypto ipsec profile PROFILE_AES128_PFS1
     set transform-set AES128
     set pfs group1

    crypto ipsec profile PROFILE_AES256_PFS16
     set transform-set AES256 
     set pfs group16

4. Setup the IPSec tunnel

    interface Tunnel10411
      description IPSec Peering with AS00000
      ip address   ! the peering IP for IPv4 inside the tunnel
      ipv6 address 2000:0000:0000::1/64     ! the peering IP for IPv6 inside the tunnel
      ip mtu 1378                           ! A MTU of 1378 inside an IPSec GRE over
                                            ! IPv6 is correct for an outside MTU of 1500 
      ipv6 mtu 1378
      ipv6 enable
      tunnel source2A01:528:1:2:3:9::1       ! The outer IP of the tunnel 
                                             ! (your own IP on the internet exchange)
      tunnel destination 2A01:528:1:2:3:9::2 ! The outer IP of the tunnel
                                             ! (your peers IP on the internet exchange)
      tunnel mode gre ipv6
      tunnel path-mtu-discovery              ! Adapt the MTU if needed
      tunnel protection ipsec profile PROFILE_AES256_PFS16  ! Apply the encryption 
                                                            ! If you can't do AES256
                                                            ! use PROFILE_AES128_PFS1 
                                                            ! instead.
      ip tcp adjust-mss 1378             ! Work around braindamaged firewall admins
                                         ! who block ICMP and break MTU path discovery

5. Set up BGP4 peering as usual on the inside tunnel IP