RouterA set interfaces vti vti0 address '172.16.250.1/24' # IPSec Phase I configuration set vpn ipsec ike-group ike-lab dead-peer-detection action 'clear' set vpn ipsec ike-group ike-lab dead-peer-detection interval '30' set vpn ipsec ike-group ike-lab dead-peer-detection timeout '90' set vpn ipsec ike-group ike-lab ikev2-reauth 'no' set vpn ipsec ike-group ike-lab key-exchange 'ikev2' set vpn ipsec ike-group ike-lab lifetime '3600' set vpn ipsec ike-group ike-lab proposal 1 dh-group '2' set vpn ipsec ike-group ike-lab proposal 1 encryption 'aes256' set vpn ipsec ike-group ike-lab proposal 1 hash 'sha256' # IPSec configuration.Phase 2 set vpn ipsec esp-group esp-lab compression 'disable' set vpn ipsec esp-group esp-lab lifetime '1800' set vpn ipsec esp-group esp-lab mode 'tunnel' set vpn ipsec esp-group esp-lab pfs 'dh-group2' set vpn ipsec esp-group esp-lab proposal 1 encryption 'aes256' set vpn ipsec esp-group esp-lab proposal 1 hash 'sha256' # Enable IPsec on eth1 and peer configuration set vpn ipsec interface 'eth1' set vpn ipsec site-to-site peer 172.16.254.2 authentication id '172.16.254.1' set vpn ipsec site-to-site peer 172.16.254.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 172.16.254.2 authentication pre-shared-secret 'VMware1!' set vpn ipsec site-to-site peer 172.16.254.2 connection-type 'initiate' set vpn ipsec site-to-site peer 172.16.254.2 default-esp-group 'esp-lab' set vpn ipsec site-to-site peer 172.16.254.2 ike-group 'ike-lab' set vpn ipsec site-to-site peer 172.16.254.2 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 172.16.254.2 local-address '172.16.254.1' set vpn ipsec site-to-site peer 172.16.254.2 vti bind 'vti0' set vpn ipsec site-to-site peer 172.16.254.2 vti esp-group 'esp-lab' # Clamp the VTI’s MSS to 1394 to avoid PMTU blackholes and also set MTU 1436 to VTI set interfaces vti vti0 mtu 1436 RouterB set interfaces vti vti0 address '172.16.250.2/24' # IPSec Phase I configuration set vpn ipsec ike-group ike-lab dead-peer-detection action 'clear' set vpn ipsec ike-group ike-lab dead-peer-detection interval '30' set vpn ipsec ike-group ike-lab dead-peer-detection timeout '90' set vpn ipsec ike-group ike-lab ikev2-reauth 'no' set vpn ipsec ike-group ike-lab key-exchange 'ikev2' set vpn ipsec ike-group ike-lab lifetime '3600' set vpn ipsec ike-group ike-lab proposal 1 dh-group '2' set vpn ipsec ike-group ike-lab proposal 1 encryption 'aes256' set vpn ipsec ike-group ike-lab proposal 1 hash 'sha256' # IPSec configuration.Phase 2 set vpn ipsec esp-group esp-lab compression 'disable' set vpn ipsec esp-group esp-lab lifetime '1800' set vpn ipsec esp-group esp-lab mode 'tunnel' set vpn ipsec esp-group esp-lab pfs 'dh-group2' set vpn ipsec esp-group esp-lab proposal 1 encryption 'aes256' set vpn ipsec esp-group esp-lab proposal 1 hash 'sha256' # Enable IPsec on eth1 and peer configuration set vpn ipsec interface 'eth1' set vpn ipsec site-to-site peer 172.16.254.1 authentication id '172.16.254.2' set vpn ipsec site-to-site peer 172.16.254.1 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 172.16.254.1 authentication pre-shared-secret 'VMware1!' set vpn ipsec site-to-site peer 172.16.254.1 connection-type 'initiate' set vpn ipsec site-to-site peer 172.16.254.1 default-esp-group 'esp-lab' set vpn ipsec site-to-site peer 172.16.254.1 ike-group 'ike-lab' set vpn ipsec site-to-site peer 172.16.254.1 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 172.16.254.1 local-address '172.16.254.2' set vpn ipsec site-to-site peer 172.16.254.1 vti bind 'vti0' set vpn ipsec site-to-site peer 172.16.254.1 vti esp-group 'esp-lab' # Clamp the VTI’s MSS to 1394 to avoid PMTU blackholes and also set MTU 1436 to VTI set interfaces vti vti0 mtu 1436