Enterasys Networks XSR-3020 User Manual

Page 71

Advertising
background image

VPN Site-to-Site Sample Configuration

XSR Getting Started Guide 3-27

Generate Master Encryption Key

If you have not already generated a master encryption key, you must do so now to configure the
VPN. A master key need only be generated once.

Generate the master key:

XSR(config)#crypto key master generate

New key is 2173 4521 3764 2ff5
163b 4bdf fe92 dbc1
1232 ffe0 f8d9 3649

Configure Access Control Lists

ACL 101 configured below is strongly restrictive in denying all but IKE traffic (well-known ACL #
500) through the router. ACLs 190, 191, and 192 are crypto map filters configured to accept any
IPSec-encrypted traffic over site-to-site tunnels and pass that traffic to the three specified networks
only.

XSR(config)#access-list 101 permit udp any any eq 500
XSR(config)#access-list 101 permit udp esp any any
XSR(config)#access-list 101 permit udp ah any any
XSR(config)#access-list 101 deny ip any any
XSR(config)#access-list 190 permit ip any 112.16.72.0 0.0.0.255
XSR(config)#access-list 191 permit ip any 112.16.76.0 0.0.0.255
XSR(config)#access-list 192 permit ip any 112.16.80.0 0.0.0.255

Set Up IKE Phase I Security

The following proposal sets pre-shared authentication and MD5 hashing:

XSR(config)#crypto isakmp proposal acme
XSR(config-isakmp)#authentication pre-share
XSR(config-isakmp)#hash md5

Configure IKE Policy for Remote Peer

The following proposal specifies the XSR’s remote peer IP address as any peer matching its IKE
policy, sets NAT to automatically detect routers performing NAT between tunnel endpoints and
directs the XSR to switch on UDP encapsulation when found.

It also designates the peer as a gateway which will initiate the configuration mode in terms of IKE
negotiation:

XSR(config)#crypto isakmp peer 0.0.0.0 0.0.0.0
XSR(config-isakmp-peer)#proposal acme
XSR(config-isakmp-peer)#config-mode gateway
XSR(config-isakmp-peer)#nat-traversal automatic

Caution: The master encryption key is stored in hardware, not Flash, and you cannot read the
key - only overwrite the old key by writing a new one. To ensure router security, it is critical not to
compromise the key. There are situations where you may want to keep the key, for example, to
save the user database off-line in order to later download it to the XSR. In order to encrypt the
user database, you need the same master key, indicating the key designation with the master key
specify command. Be aware that if the XSR is inoperable you may have to return to factory
defaults, which erases the master key forcing you to generate a new one.

Advertising
Popular Brands
Popular manuals