Enterasys Networks Security Router X-PeditionTM User Manual

Page 355

Advertising
background image

Configuring a Simple VPN Site-to-Site Application

XSR User’s Guide 14-33

configuration, permit means protect or encrypt, and deny indicates don’t encrypt or allow as is.

XSR(config)#access-list 120 permit ip 141.154.196.64 0.0.0.63 63.81.66.0 0.0.0.255
XSR(config)#access-list 130 permit ip 63.81.64.0 0.0.0.255 63.81.66.0 0.0.0.255
XSR(config)#access-list 140 permit ip 63.81.68.0 0.0.0.255 63.81.66.0 0.0.0.255

4.

Set up IKE Phase 1 protection by entering the following commands:

XSR(config)#crypto isakmp proposal Test

+

Designates ISAKMP proposal Test and acquires ISAKMP mode

XSR(config-isakmp)#authentication [pre-share | rsa]

+

Selects pre-shared key or certificates rsa-sig

XSR(config-isakmp)#encryption [aes | 3des | des]

+

Chooses encryption algorithm

XSR(config-isakmp)#hash [md5 | sha1]

+

Selects hash algorithm used by IKE

XSR(config-isakmp)#group [1 | 2 | 5]

+

Chooses Diffie-Hellman group

XSR(config-isakmp)#lifetime <seconds>

+

Sets IKE lifetime value

5.

Configure IKE policy for the remote peer. Multiple IKE proposals can be configured on each
peer participating in IPSec. When IKE negotiation begins, it tries to find a common proposal
(policy) on both peers with a common proposal containing exactly the same encryption, hash,
authentication, and Diffie-Hellman parameters (lifetime does not necessarily have to match).

XSR(config)#crypto isakmp peer 0.0.0.0 0.0.0.0

+

Configures the IKE peer IP address/subnet and acquires ISAKMP mode

XSR(config-isakmp-peer)#proposal Test

+

Specifies proposal lists test1 and test2

XSR(config-isakmp-peer)#exchange mode [main | aggressive]

+

Selects IKE main mode

XSR(config-isakmp-peer)#nat-traversal [auto | enabled | disabled]

+

Selects NAT traversal setting

6.

Create a transform-set which adds the specified encryption/data integrity algorithms, 768-bit
(Group 1) Diffie-Hellman, and your choice of an SA lifetime. You can specify an SA lifetime of
seconds and kilobytes - whichever value runs out first will cause a rekey.

XSR(config)#crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac

+

Names transform-set with encryption and data integrity values

XSR(cfg-crypto-tran)#set pfs group1

+

Set PFS group number

XSR(cfg-crypto-tran)#set security-association lifetime [kilobytes | seconds]

+

Sets SA lifetime in either kilobytes or seconds

7.

Configure three crypto map Test entries which correlate with specified transform-sets and
ACLs 140, 130 and 120, attach the map to a remote peer, configure an independent SA for each
traffic stream to a host, and select your choice of IPSec mode. Crypto map match statements
render the associated ACLs bi-directional.

XSR(config)#crypto map Test 40

+

Adds crypto map Test, sequence #40

XSR(config-crypto-m)#set transform-set esp-3des-sha

+

Correlates map with the specified transform set

Advertising
Popular Brands
Popular manuals