Enterasys Networks Security Router X-PeditionTM User Manual

Page 360

Advertising
background image

Configuration Examples

14-38 Configuring the Virtual Private Network

XSR(config)#crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
XSR(cfg-crypto-tran)set security-association lifetime kilobytes 10000

Configure the following four crypto maps to match ACLs 150, 140, 120, and 110:

XSR(config)#crypto map test 50
XSR(config-crypto-m)#set transform-set esp-3des-sha
XSR(config-crypto-m)#match address 150

XSR(config)#crypto map test 40
XSR(config-crypto-m)#set transform-set esp-3des-sha
XSR(config-crypto-m)#match address 140

XSR(config)#crypto map test 20
XSR(config-crypto-m)#set transform-set esp-3des-md5
XSR(config-crypto-m)#match address 120
XSR(config-crypto-m)#mode transport
XSR(config-crypto-m)#set security-association level per-host

XSR(config)#crypto map test 10
XSR(config-crypto-m)#set transform-set esp-3des-sha
XSR(config-crypto-m)#match address 110

Configure and enable the FastEthernet 1 interface:

XSR(config)#interface FastEthernet1
XSR(config-if<F1>)#ip address 10.120.112.0/24
XSR(config-if<F1>)#no shutdown

Configure FastEthernet interface 2 with the attached crypto map test:

XSR(config)#interface FastEthernet2
XSR(config-if<F2>)#crypto map test
XSR(config-if<F2>)#ip address 141.154.196.87 255.255.255.192
XSR(config-if<F2>)#access-group 130 in
XSR(config-if<F2>)#access-group 130 out
XSR(config-if<F2>)#no shutdown

Configure the VPN virtual interface as a terminating tunnel server with IP multicast redirection
back to the gateway, add an OSPF network with cost and disable the firewall:

XSR(config)#interface Vpn1 multi-point
XSR(config-int-vpn)#ip multicast-redirect tunnel-endpoint
XSR(config-int-vpn)#firewall disable
XSR(config-int-vpn)#ip address 10.120.70.1 255.255.255.0
XSR(config-int-vpn)#ip ospf priority 10
XSR(config-int-vpn)#ip ospf network nbma

Add a default route to the next hop Internet gateway:

XSR(config)#ip route 0.0.0.0 0.0.0.0 141.154.196.93

Define an IP pool for distribution of tunnel addresses to all client types:

XSR(config)#ip local pool test 10.120.70.0/24

Create hosts to resolve hostnames for the certificate servers for CRL retrieval:

XSR(config)#ip host parentca 141.154.196.89
XSR(config)#ip host childca2 141.154.196.81
XSR(config)#ip host childca1 141.154.196.83

Advertising
Popular Brands
Popular manuals