Enterasys Networks XSR-3020 User Manual

Page 74

Advertising
background image

VPN Sample Configuration with Network Extension Mode

3-30 Software Configuration

Figure 3-6 VPN Topology with NEM, EZ-IPSec and Internet Access

If you have not already generated a master encryption key, you must do so now to configure the
VPN. A master key need only be generated once.

Generate the master key. Refer to the following sample key:

XSR(config)#crypto key master generate

New key is 2173 4521 3764 2ff5
163b 4bdf fe92 dbc1
1232 ffe0 f8d9 3649

Apply the following ACLs to the public interface of the XSR before creating the VPN
configuration. These ACLs are applied only to an XSR configured to terminate Network Extension
Mode (NEM) tunnels initiated from ANG-1100s. These ACLs allow all outbound IP traffic and
established inbound TCP traffic and employ well-known protocol numbers for IKE UDP (500) and
ICMP to and from the public interface (if preferred).

XSR(config)#access-list 1 deny 26.26.26.0 0.0.0.255
XSR(config)#access-list 1 permit any
XSR(config)#access-list 110 permit udp any any eq 500
XSR(config)#access-list 110 permit icmp any host 26.26.26.10
XSR(config)#access-list 110 deny ip any any

XSR(config)#access-list 111 permit udp any any eq 500
XSR(config)#access-list 111 permit icmp host 26.26.26.10 any
XSR(config)#access-list 111 deny ip any any

XSR(config)#interface gigabitethernet 2
XSR(config-if<G2>)#ip access-group 110 in
XSR(config-if<G2>)#ip access-group 111 out

Enable Network Address Translation:

XSR(config-if<G2>)#ip nat source assigned overload

Create the VPN virtual subnet:

XSR(config)#ip local pool virtual_subnet 10.10.10.0 255.255.255.248

Caution: The master encryption key is stored in hardware, not Flash, and you cannot read the
key - only overwrite the old key by writing a new one. To ensure router security, it is critical not to
compromise the key. There are situations where you may want to keep the key, for example, to
save the user database off-line in order to later download it to the XSR. In order to encrypt the
user database, you need the same master key, indicating the key designation with the master key
specify command. Be aware that if the XSR is inoperable you may have to return to factory
defaults, which erases the master key forcing you to generate a new one.

26.26.26.0/24

172.16.10.0

GigabitEthernet 1: 172.16.10/24

Gigabitethernet 2: 26.26.26.10/24

Virtual IP Pool: 172.16.10.0/24

eth0: 10.12.12.1/24

eth1: 26.26.26.12/24

eth0: 10.11.11.1/24

eth1: 26.26.26.11/24

XSR 3020

XSR 3020

XSR 3020

Advertising
Popular Brands
Popular manuals