Enterasys Networks XSR-3020 User Manual

Page 72

Advertising
background image

VPN Site-to-Site Sample Configuration

3-28 Software Configuration

Create a Transform Set

The following transform-set specifies the specified encryption/data integrity choices, 768-bit
Diffie-Hellman, and an SA lifetime expressed in kilobytes. The SA seconds lifetime value is disabled.
Some commands are abbreviated.

XSR(config)#crypto ipsec tra esp-3des-sha esp-3des esp-sha-hmac
XSR(cfg-crypto-tran)#set pfs group1
XSR(cfg-crypto-tran)#set sec lifetime kilobytes 100000
XSR(cfg-crypto-tran)#no set sec lifetime seconds

Configure Crypto Maps

The following IKE policy crypto maps are each linked to the earlier added transform-set with
matching ACLs and are set by default for the more stringent tunnel mode. Maps 91 and 92 match
the remote XSRs and map 90 correlates with the ANG. Crypto map statements render the
associated ACLs bi-directional.

XSR(config)#crypto map acme 92
XSR(config-crypto-m)#set transform-set esp-3des-sha
XSR(config-crypto-m)#match address 192
XSR(config-crypto-m)#set peer 112.16.244.5

XSR(config)#crypto map acme 91
XSR(config-crypto-m)#set transform-set esp-3des-sha
XSR(config-crypto-m)#match address 191
XSR(config-crypto-m)#set peer 112.16.244.7

XSR(config)#crypto map acme 90
XSR(config-crypto-m)#set transform-set esp-3des-sha
XSR(config-crypto-m)#match address 190
XSR(config-crypto-m)#set peer 112.16.244.9

Configuring VPN at Interface Mode and Setting Up RIP

The following commands configure the LAN physical ports as follows: GigabitEthernet port 1 is
designated Internal LAN, with the specified IP address/subnet as the designated network.
GigabitEthernet port 2 is named VPN Cloud, assigned crypto map acme with associated ACLs, and
directed not to transmit or receive RIP updates. Also, RIP routing and four IP routes are
configured as well as a VPN interface for AAA service.

XSR(config)#interface gigabitethernet 1
XSR(config-if<G1>)#description “Internal LAN”
XSR(config-if<G1>)#no shutdown
XSR(config-if<G1>)#ip address 112.16.1.221 255.255.255.0

XSR(config)#interface gigabitethernet 2
XSR(config-if<G2>)#crypto map acme
XSR(config-if<G2>)#description “VPN Cloud”
XSR(config-if<G2>)#no shutdown
XSR(config-if<G2>)#ip access-group 101 in
XSR(config-if<G2>)#ip access-group 101 out
XSR(config-if<G2>)#ip address 112.16.244.10 255.255.255.0

Advertising
Popular Brands
Popular manuals