Vpn interface sub-commands, Configuring a simple vpn site-to-site application, Vpn interface sub-commands -32 – Enterasys Networks Security Router X-PeditionTM User Manual

Page 354: Central site branch office, Internet

Advertising
background image

Configuring a Simple VPN Site-to-Site Application

14-32 Configuring the Virtual Private Network

VPN Interface Sub-Commands

The following sub-commands are available at VPN Interface mode:

ip firewall

+

Set of commands to configure the firewall

ip address-negotiated

+

Sets the VPN interface’s IP address to be negotiated

ip address

+

Specifies an IP address on the VPN interface

ip multicast-redirect

+

Redirects multicast to a unicast address

ip nat

+

Specifies NAT rules on the VPN interface

ip rip

+

Configures RIP routing on the VPN port

ip unnumbered

+

Enables IP processing on a serial port without assigning it an explicit IP address

ip split-horizon

+

Enables split horizon mechanism

ip ospf

+

Set of commands to configure OSPF routing

tunnel

+

Command and sub-commands configure a site-to-site VPN tunnel on a point-to-point interface

set heartbeat

+

Enables and configures tunnel connectivity monitoring

set protocol (ipsec or gre)

+

Selects a tunnel protocol

set active

+

Brings the tunnel up

set user

+

Designates the user name when initiating a tunnel and obtains credentials from the AAA subsystem

set peer

+

Sets the IP address of the peer

Configuring a Simple VPN Site-to-Site Application

The following main steps describe how to configure a simple Site-to-Site VPN between two XSRs,
as illustrated in

Figure 14-11

:

Encrypt Branch-site traffic on the 63.81.66.0/24 network to Central site networks (63.81.64.0/
24, 63.81.68.0/24, 141.154.196.64/28)

Set up IPSec/IKE policy with pre-shared keys

Configure cryptographic algorithms (transform-sets) and IPSec mode

Configure the VPN interface and crypto maps

Figure 14-11 Site-to-Site Example

1.

Generate a master encryption key as described in

“Master Encryption Key Generation”

on

page 14-20. This need only be done once on the router.

2.

Begin Central Site configuration of all necessary physical and system requirements, including
physical IP addresses, routing (default route and RIP or OSPF), and standard ACLs. This
example offers numerous options.

3.

Configure Access Lists 120, 130, and 140 to define the particular traffic to be protected by the
tunnel. The ACLs allow a range of IP addresses on the VPN. In the context of VPN

Central Site

Branch Office

Internet

XSR

FastEthernet 2

1.1.1.1

FastEthernet 2

1.1.1.2

FastEthernet 1

141.154.196.78

63.81.64.0/24 63.81.68.0/24

63.81.66.0/24

FastEthernet 1

63.81.66.1

XSR

Advertising
Popular Brands
Popular manuals