Enterasys Networks Security Router X-PeditionTM User Manual

Page 370

Advertising
background image

Interoperability Profile for the XSR

14-48 Configuring the Virtual Private Network

XSR(config-isakmp-peer)#config-mode gateway
XSR(config-isakmp-peer)#exchange-mode main

7.

Configure IKE Phase 2 settings by creating the transform-set Secure:

XSR(config)#crypto ipsec transform-set Secure esp-3des esp-sha1-hmac
XSR(cfg-crypto-tran)#set pfs group2
XSR(cfg-crypto-tran)#set security-association lifetime seconds 3600

8.

Configure the crypto map Highflow which correlates with transform-set Secure and access list
101, and attach the map to the remote peer.

XSR(config)#crypto map Highflow 1
XSR(config-crypto-m)#set transform-set Secure
XSR(config-crypto-m)#match address 101
XSR(config-crypto-m)#set peer 22.23.24.25

9.

Attach the crypto map Highflow to the Gateway A external interface (AW):

XSR(config)#interface FastEthernet2
XSR(config-if<F2>)#crypto map Highflow
XSR(config-if<F2>)#no shutdown

10. Configure the pre-shared key. The username is the IP address of the peer and the password is

the pre-shared key.

XSR(config)#aaa user 22.23.24.25
XSR(aaa-user)#password hr5xb84l6aa9r6

11. Test the connection by pinging a PC on the 172.23.9.0 network from the 10.5.6.0 network.

Alternately, pinging the PC from Gateway A, if successful, will produce the output shown
below. Be aware that for a ping to traverse the tunnel, you must configure an ACL with the
host source and host destination IP addresses.

XSR#ping 172.23.9.5 10.5.6.1
Type escape sequence to abort
Reply from 172.23.9.5: 20ms
Reply from 172.23.9.5: 10ms
Reply from 172.23.9.5: 10ms
Reply from 172.23.9.5: 10ms
Reply from 172.23.9.5: 10ms
Packets: Sent = 5, Received = 5, Lost = 0

You can also issue the following

show

commands to examine Phase 1 and Phase 2 settings,

respectively. When the tunnel is up, the commands will display the following output:

XSR#show crypto isakmp sa
Connection-ID State

Source

Destination

Lifetime

------------ ----------------

-----------

-------

4561

QM_IDLE 14.15.16.17 22.23.24.25

28000

XSR#show crypto ipsec sa
10.5.6.0/24, ANY, 0 ==> 172.23.9.0/24, ANY, 0 : 92 packets
ESP: SPI=190d1f5f, Transform=3DES/HMAC-SHA, Life=3600S/0KB

172.23.9.0/24, ANY, 0 ==> 10.5.6.0/24, ANY, 0 : 98 packets
ESP: SPI=340d455a, Transform=3DES/HMAC-SHA, Life=3600S/0KB

Advertising
Popular Brands
Popular manuals