Enterasys Networks XSR-3150 User Manual

Page 72

Advertising
background image

VPN Site-to-Site Sample Configuration

3-28 Software Configuration

XSR(config)#access-list 101 permit udp ah any any
XSR(config)#access-list 101 deny ip any any
XSR(config)#access-list 190 permit ip any 112.16.72.0 0.0.0.255
XSR(config)#access-list 191 permit ip any 112.16.76.0 0.0.0.255
XSR(config)#access-list 192 permit ip any 112.16.80.0 0.0.0.255

Set Up IKE Phase I Security

The following proposal sets pre-shared authentication and MD5 hashing:

XSR(config)#crypto isakmp proposal acme
XSR(config-isakmp)#authentication pre-share
XSR(config-isakmp)#hash md5

Configure IKE Policy for Remote Peer

The following proposal specifies the XSR’s remote peer IP address as any peer matching its IKE
policy, sets NAT to automatically detect routers performing NAT between tunnel endpoints and
directs the XSR to switch on UDP encapsulation when found.

It also designates the peer as a gateway which will initiate the configuration mode in terms of IKE
negotiation:

XSR(config)#crypto isakmp peer 0.0.0.0 0.0.0.0
XSR(config-isakmp-peer)#proposal acme
XSR(config-isakmp-peer)#config-mode gateway
XSR(config-isakmp-peer)#nat-traversal automatic

Create a Transform Set

The following transform-set specifies the specified encryption/data integrity choices, 768-bit
Diffie-Hellman, and an SA lifetime expressed in kilobytes. The SA seconds lifetime value is disabled.
Some commands are abbreviated.

XSR(config)#crypto ipsec tra esp-3des-sha esp-3des esp-sha-hmac
XSR(cfg-crypto-tran)#set pfs group1
XSR(cfg-crypto-tran)#set sec lifetime kilobytes 100000
XSR(cfg-crypto-tran)#no set sec lifetime seconds

Configure Crypto Maps

The following IKE policy crypto maps are each linked to the earlier added transform-set with
matching ACLs and are set by default for the more stringent tunnel mode. Maps 91 and 92 match
the remote XSRs and map 90 correlates with the ANG. Crypto map statements render the
associated ACLs bi-directional.

XSR(config)#crypto map acme 92
XSR(config-crypto-m)#set transform-set esp-3des-sha
XSR(config-crypto-m)#match address 192
XSR(config-crypto-m)#set peer 112.16.244.5

Advertising
Popular Brands
Popular manuals