Use case 2: configuring site-to-site vpn – Brocade Communications Systems RFS6000 User Manual

242

Brocade Mobility RFS4000, RFS6000 and RFS7000 CLI Reference Guide

53-1001931-01

Global Configuration commands

5

RFController(config)#crypto isakmp client configuration group default

RFController(config-crypto-group)#dns 10.1.1.1

RFController(config-crypto-group)#wins 10.1.1.1

5. Specify the authentication type.

RFController(config)# aaa vpn-authentication local

RFController(config)# local username harry password brocade123

6. Create a transform set.

RFController(config)#crypto ipsec transform-set windows esp-3des esp-sha-hmac

RFController(config-crypto-ipsec)#mode transport

7. Specify a dynamic crypto map.

RFController(config)#crypto map TestMap 30 ipsec-isakmp dynamic

RFController(config-crypto-map)#set peer 0.0.0.0

RFController(config-crypto-map)#match address 101

RFController(config-crypto-map)#set transformset windows

RFController(config-crypto-map)#set remote-type ipsec-l2tp

8. Apply the crypto map to interface vlan2.

RFController(config)#interface vlan2

RFController(config-if)cryto map TestMap

9. Upon a successful connection, the XP client will obtain a virtual IP address.

Use Case 2: Configuring Site-to-Site VPN

Intranets use unregistered addresses connected over the public internet by site-to-site VPN. In this
scenario, NAT is required for the connections to the public internet. However NAT is not required for
traffic between the two intranets, which can be transmitted using a VPN tunnel over the public
Internet.

The site-to-site VPN allows branch office mobility controllers to connect back to the central office
using a secure, encrypted tunnel, for all site-to-site traffic. This allows a wired LAN in the branch
office to bridge directly to the central site while maintaining full security.

This example requires two controllers. It can be configured with the following commands: