Enterasys Networks XSR-3150 VPN Site-to-Site Sample Configuration, Generate Master Encryption Key

Page 71

VPN Site-to-Site Sample Configuration

VPN Site-to-Site Sample Configuration

The following VPN topology, shown in Figure 3-5, configures a central site XSR to connect over IPSec tunnels with a remote ANG-1105 and two XSRs.

Figure 3-5 VPN Site-to-Site Topology

	Central Site		112.16.72.2
	Central Site	112.16.244.9
		112.16.244.9
112.16.1.221		ANG-1105	Branch Sites
		XSR
			112.16.76.2
XSR	Firewall	112.16.244.7
	112.16.244.10	XSR
	Gateway IP address	XSR
	for all remote sites		112.16.80.2
			112.16.80.2
		112.16.244.5

The following script configures the VPN topology shown in Figure 3-5.

Generate Master Encryption Key

If you have not already generated a master encryption key, you must do so now to configure th6e VPN. A master key need only be generated once.

Caution: The master encryption key is stored in hardware, not Flash, and you cannot read the key - only overwrite the old key by writing a new one. To ensure router security, it is critical not to compromise the key. There are situations where you may want to keep the key, for example, to save the user database off-line in order to later download it to the XSR. In order to encrypt the user database, you need the same master key, indicating the key designation with the master key specify command. Be aware that if the XSR is inoperable you may have to return to factory defaults, which erases the master key forcing you to generate a new one.

Generate the master key:

XSR(config)#crypto key master generate

New key is 2173 4521 3764 2ff5 163b 4bdf fe92 dbc1 1232 ffe0 f8d9 3649

Configure Access Control Lists

ACL 101 configured below is strongly restrictive in denying all but IKE traffic (well-knownUDP port# 500) through the router. ACLs 190, 191, and 192 are crypto map filters configured to accept any IPSec-encrypted traffic over site-to-site tunnels and pass that traffic to the three specified networks only.

XSR(config)#access-list 101 permit udp any any eq 500

XSR(config)#access-list 101 permit udp esp any any

XSR Getting Started Guide 3-27

Image 71

Contents Version PeditionSecurity RouterPage Enterasys Networks, Inc Minuteman Road Andover, MA Regulatory Compliance Information Industry Canada Notices Product Safety Supplement to Product Instructions Vcci Notice N826 Enterasys Networks, Inc. Firmware License Agreement Page Page Contents BRI Leased Line BRI Leased Frame Relay BRI Switched Line Index Appendix a SpecificationsXiv About This Guide Contents of the GuideBold/En negrilla FTP Getting HelpXviii System Description OverviewTypical XSR-3150 Topology Hardware FeaturesXSR-3150 IP Protocol Software FeaturesOperating System Industry-common CLISnmp and Statistics Gathering IP RoutingFrame Relay SecurityIntegrated Services Digital Network Isdn BRI/PRI Dynamic Host Configuration Protocol DhcpVirtual Private Network VPN Quality of Service QoSGRE over IPSec Dial-on-Demand/Bandwidth-on-Demand DoD/BoD Dial ServiceDial Backup Asynchronous Digital Subscriber Line AdslUnpack the XSR from the shipping box. Remove accessories Installation OverviewInstallation Overview Verifying Your Shipment Installation Site SuggestionsIntroduction Removing XSR Cover Installing NIM Cards and Rack MountingXSR Fastening Rack Brackets CompactFlash Card Installation Installing a CompactFlash Memory CardFormatting the CompactFlash Card CompactFlash Card for the Adsl NIM3150 Connecting Cables11 Connecting High Speed Serial Connector 13 Connecting Adsl Connector 15 Attaching GigabitEthernet Connector 17 Attaching Ethernet LAN NIM Connector 19 Connecting Dual Internal Power Supply Cords Initializing XSR Software Software ConfigurationInitializing XSR Software Opening a COM Console Session Optional Configuring Remote Auto InstallConfiguring RAI for Frame Relay Remote Auto Install Attempting Forever Configuring RAI over Adsl Configuring RAI for Dhcp over LANPppoe limit max-sessions Setting User Name, Privilege and Password Configuring the XSR Name and User InformationSetting the Clock PRI Configuration Configuring the LAN PortsConfiguring the WAN Ports BRI Leased Line BRI ConfigurationBRI Leased Frame Relay BRI Switched LinePPPoA Adsl ConfigurationPPPoE IPoA Firewall Sample ConfigurationXSR Complete LAN and WAN interface configuration Setting Up RIP RoutingConfiguring Frame Relay Point to Point Networks Configure Ospf RoutingSetting Up an Snmp Community String, Traps and V3 Values Configuring Message Logging and Severity Level Connecting Remotely via the Web Viewing Your ConfigurationWeb Product Version Window Pstn LAN-PPP Services Sample ConfigurationXSRconfig-controllerT1-1/0#no shutdown Configure Quality of Service Frame Relay WAN Link with PPP Backup Sample ConfigurationConfigure Users and Passwords Configure LAN InterfaceXSRconfig-pmap-cpriority-policy#priority high 30 Configure WAN/Frame Relay PortApply QoS XSRconfig#interface serial 1/0.2 multipointConfigure the Dial Backup Connection Configure Ospf RoutingConfigure More Access Lists Configure DHCP/BOOTP RelayConfigure Snmp Generate Master Encryption Key VPN Site-to-Site Sample ConfigurationConfigure Access Control Lists Create a Transform Set Set Up IKE Phase I SecurityConfigure IKE Policy for Remote Peer Configure Crypto MapsConfiguring VPN at Interface Mode and Setting Up RIP Configuring Authentication AAA VPN Sample Configuration with Network Extension ModeEnable Network Address Translation Create the Isakmp IKE global peer Initialization Output XSR Rebooting CharacteristicsPower-Up Reboot Reboot TriggersPower-up Error Conditions Bootrom Monitor Mode CommandsXSR-3150 bu btXSR300012.fls Verifying btXSR300012.fls file Copy Dir DelFfc Rename RemoveFTP Bootrom Monitor Mode Commands System Specifications SpecificationsWAN Cable, CompactFlash and Accessory SpecificationsXSR Getting Started Guide A-3 COM COM Console PortMini-GBIC Fiber, Copper Port GigabitEthernet PortsCopper/Fiber-optic Ethernet NIMs Regulatory/Safety Compliance21 DTE Port Serial NIM Card PortFigure A-8 EIA-232/530 DTE Pin Assignments Figure A-9 EIA-449 DTE Pin Assignments Figure A-10 Combined V.35/EIA-232/530 DTE Pin Assignments Figure A-11 DTE Pin Assignments T1/E1/ISDN PRI T1/E1/ISDN PRI NIM Card PortsFigure A-14 Balun for E1 or PRI Connection Balun for E1 or PRI NIM CardsGrounding Shunt for E1 NIM Cards Installing Shunt/Terminal StripFigure A-17 1-Port T3/E3 NIM Card T3/E3 NIM CardTermination Shunt for the Isdn BRI-S/T NIM Card Port BRI-S/T Isdb NIM Card PortsXSR Getting Started Guide A-17 Figure A-21 Isdn BRI-U NIM Card RJ-49C ports shown Port BRI-U NIM Card PortsFigure A-23 Adsl NIM Card Port Adsl NIM Card PortFigure A-25 T1/E1 D&I NIM Card T1/E1 Drop & Insert D&I NIMLED Behavior CompactFlash Memory CardTX LED Index Index-2