Brocade Communications Systems RFS6000 User Manual
Page 243
Brocade Mobility RFS4000, RFS6000 and RFS7000 CLI Reference Guide
241
53-1001931-01
Global Configuration commands
5
In case the client is VPN enabled, it initiates a connection with the VPN server on our controller, the
“conversation” that occurs between the peers consists of device authentication via Internet Key
Exchange (IKE), followed by user authentication using IKE Extended Authentication (Xauth), push
client relate configuration (using Mode Configuration), and IPsec security association (SA) creation.
Depending on the controller IPSec configuration (as discussed in the previous sections), the client
establishes an IKE SA, and if the controller is configured for Xauth, the client waits for a
"username/password" challenge and then responds to the challenge of the controller.
If the controller indicates that authentication is successful, the client requests further configuration
parameters from the controller. At this stage, the private IP address (mode-config) is pushed to the
client from a private address pool, configured for remote VPN clients. IPsec SA’s are created and
the connection is complete.
Once the client has got a virtual IP, further packets from the client within the IPSec tunnel are
routed to the corresponding VLAN interface (in our case vlan3), and the client gets access to the
network. The IPSec tunnel is only between the client and the controller. After that the packets on
the trusted side are sent without encryption.
NOTE
The example below is for a IPSec-L2TP connection over a wireless client. Use a windows default
client for this configuration.
1. Create and configure a WLAN.
RFController(config)#
RFController(config)#wireless
RFController(config-wireless)#wlan 2 enable
RFController(config-wireless)#wlan 2 ssid MONARCH2
RFController(config-wireless)#wlan 2 vlan 2
2. Create and configure DHCP.
RFController(config)#ip dhcp pool vlan2
RFController(config-dhcp)#address range 10.1.1.2 10.1.1.254
RFController(config-dhcp)#default-router 10.1.1.1
RFController(config-dhcp)#network 10.1.1.0/24
3. Create and configure a VLAN interface named vlan2.
RFController(config)#interface vlan2
RFController(config-if)#ip address 10.1.1.1/24
4. Create and configure another VLAN interface named vlan3.
RFController(config)#interface vlan 3
RFController(config-if)#ip address dhcp
Use the commands below to configure IPSec VPN on the controller:
1. Create an Extended ACL.
RFController(config-ext-nacl)#ip access-list extended 101
2. Configure the local subnet and remote subnet as interesting traffic.
RFController(config-ext-nacl)# permit ip 10.1.1.0/24 any
RFController(config-ext-nacl)# permit ip 192.168.0.0/24 any
3. Configure a private pool address.
RFController(config)# ip local pool lo 192.168.0.2 hi 192.168.0.10
4. Specify DNS/WINS for the remote client.