XSR(config)#access-list 101 permit udp ah any any
XSR(config)#access-list 101 deny ip any any
XSR(config)#access-list 190 permit ip any 112.16.72.0 0.0.0.255
XSR(config)#access-list 191 permit ip any 112.16.76.0 0.0.0.255
XSR(config)#access-list 192 permit ip any 112.16.80.0 0.0.0.255
Set Up IKE Phase I Security
The following proposal sets pre-shared authentication and MD5 hashing:
XSR(config)#crypto isakmp proposal acme
XSR(config-isakmp)#authentication pre-share
XSR(config-isakmp)#hash md5
Configure IKE Policy for Remote Peer
The following proposal specifies the XSR’s remote peer IP address as any peer matching its IKE policy, sets NAT to automatically detect routers performing NAT between tunnel endpoints and directs the XSR to switch on UDP encapsulation when found.
It also designates the peer as a gateway which will initiate the configuration mode in terms of IKE negotiation:
XSR(config)#crypto isakmp peer 0.0.0.0 0.0.0.0
XSR(config-isakmp-peer)#proposal acme
XSR(config-isakmp-peer)#config-mode gateway
XSR(config-isakmp-peer)#nat-traversal automatic
Create a Transform Set
The following transform-set specifies the specified encryption/data integrity choices, 768-bitDiffie-Hellman, and an SA lifetime expressed in kilobytes. The SA seconds lifetime value is disabled. Some commands are abbreviated.
XSR(config)#crypto ipsec tra esp-3des-sha esp-3des esp-sha-hmac
XSR(cfg-crypto-tran)#set pfs group1
XSR(cfg-crypto-tran)#set sec lifetime kilobytes 100000
XSR(cfg-crypto-tran)#no set sec lifetime seconds
Configure Crypto Maps
The following IKE policy crypto maps are each linked to the earlier added transform-set with matching ACLs and are set by default for the more stringent tunnel mode. Maps 91 and 92 match the remote XSRs and map 90 correlates with the ANG. Crypto map statements render the associated ACLs bi-directional.
XSR(config)#crypto map acme 92
XSR(config-crypto-m)#set transform-set esp-3des-sha
XSR(config-crypto-m)#match address 192
XSR(config-crypto-m)#set peer 112.16.244.5
