Enterasys Networks XSR-3150 manual VPN Sample Configuration with Network Extension Mode

Page 74

VPN Sample Configuration with Network Extension Mode

Configuring Authentication (AAA)

Configure an AAA user and DEFAULT AAA group for remote users. When an ANG tunnels into the XSR, it will be assigned dynamically to the IP pool AUTH. Be aware that groups must be created before users can be added to them. Remember to create the same users and passwords on the ANG. The IP address assigned to the AAA user is the remote gatewayIP address.

XSR(config)#ip local pool AUTH 192.168.2.0 255.255.255.0

XSR(config)#aaa user 112.16.244.9

XSR(aaa-user)#password dribble

XSR(aaa-user)#group DEFAULT

XSR(aaa-group)#pptp encrypt mppe auto

XSR(aaa-group)#ip pool AUTH

XSR(aaa-group)#policy vpn

VPN Sample Configuration with Network Extension Mode

The following sample topology is ideal for testing a VPN NEM tunnel connection on a LAN before actually configuring a production network. If the configuration works properly, simply change the GigabitEthernet settings to the Serial or T1 interface values of your choice.

The XSR below is configured as a VPN concentrator with Internet access allowed and Network Extension Mode (NEM) tunnels set up. NEM is designed to open up network resources situated behind the XSR. You configure NEM to provide routing for nodes connected to the trusted port of the router so that locally and remotely connected devices can discover and communicate with each other across an IKE/IPSec tunnel.

The XSR’s EZ-IPSec functionality is employed to automatically access default ESP transforms and IPSec proposals.

Figure 3-6 VPN Topology with NEM, EZ-IPSec and Internet Access

GigabitEthernet 1: 172.16.10/24

eth0: 10.11.11.1/24

GigabitEthernet 2: 26.26.26.10/24

eth1: 26.26.26.11/24

Virtual IP Pool: 172.16.10.0/24

 

26.26.26.0/24

XSR

eth0: 10.12.12.1/24

 

XSR

eth1: 26.26.26.12/24

 

172.16.10.0

XSR

 

The following script configures the VPN topology shown in Figure 3-6.

If you have not already generated a master encryption key, you must do so now to configure the VPN. A master key need only be generated once.

Caution: The master encryption key is stored in hardware, not Flash, and you cannot read the key - only overwrite the old key by writing a new one. To ensure router security, it is critical not to compromise the key. There are situations where you may want to keep the key, for example, to save the user database off-line in order to later download it to the XSR. In order to encrypt the user database, you need the same master key, indicating the key designation with the master key specify command. Be aware that if the XSR is inoperable you may have to return to factory defaults, which erases the master key forcing you to generate a new one.

3-30 Software Configuration

Image 74
Contents PeditionSecurity Router VersionPage Enterasys Networks, Inc Minuteman Road Andover, MA Regulatory Compliance Information Industry Canada Notices Product Safety Supplement to Product Instructions Vcci Notice N826 Enterasys Networks, Inc. Firmware License Agreement Page Page Contents BRI Leased Line BRI Leased Frame Relay BRI Switched Line Appendix a Specifications IndexXiv Contents of the Guide About This GuideBold/En negrilla Getting Help FTPXviii Overview System DescriptionHardware Features Typical XSR-3150 TopologyXSR-3150 Industry-common CLI Software FeaturesOperating System IP ProtocolIP Routing Snmp and Statistics GatheringSecurity Frame RelayDynamic Host Configuration Protocol Dhcp Integrated Services Digital Network Isdn BRI/PRIQuality of Service QoS Virtual Private Network VPNGRE over IPSec Asynchronous Digital Subscriber Line Adsl Dial ServiceDial Backup Dial-on-Demand/Bandwidth-on-Demand DoD/BoDInstallation Overview Unpack the XSR from the shipping box. Remove accessoriesInstallation Overview Verifying Your Shipment Installation Site SuggestionsIntroduction Installing NIM Cards and Rack Mounting Removing XSR CoverXSR Fastening Rack Brackets Installing a CompactFlash Memory Card CompactFlash Card InstallationCompactFlash Card for the Adsl NIM Formatting the CompactFlash CardConnecting Cables 315011 Connecting High Speed Serial Connector 13 Connecting Adsl Connector 15 Attaching GigabitEthernet Connector 17 Attaching Ethernet LAN NIM Connector 19 Connecting Dual Internal Power Supply Cords Software Configuration Initializing XSR SoftwareInitializing XSR Software Opening a COM Console Session Optional Configuring Remote Auto InstallConfiguring RAI for Frame Relay Remote Auto Install Attempting Forever Configuring RAI for Dhcp over LAN Configuring RAI over AdslPppoe limit max-sessions Setting User Name, Privilege and Password Configuring the XSR Name and User InformationSetting the Clock PRI Configuration Configuring the LAN PortsConfiguring the WAN Ports BRI Configuration BRI Leased LineBRI Switched Line BRI Leased Frame RelayPPPoA Adsl ConfigurationPPPoE Firewall Sample Configuration IPoAXSR Setting Up RIP Routing Complete LAN and WAN interface configurationConfigure Ospf Routing Configuring Frame Relay Point to Point NetworksSetting Up an Snmp Community String, Traps and V3 Values Configuring Message Logging and Severity Level Viewing Your Configuration Connecting Remotely via the WebWeb Product Version Window LAN-PPP Services Sample Configuration PstnXSRconfig-controllerT1-1/0#no shutdown Configure LAN Interface Frame Relay WAN Link with PPP Backup Sample ConfigurationConfigure Users and Passwords Configure Quality of ServiceConfigure WAN/Frame Relay Port XSRconfig-pmap-cpriority-policy#priority high 30XSRconfig#interface serial 1/0.2 multipoint Apply QoSConfigure DHCP/BOOTP Relay Configure Ospf RoutingConfigure More Access Lists Configure the Dial Backup ConnectionConfigure Snmp Generate Master Encryption Key VPN Site-to-Site Sample ConfigurationConfigure Access Control Lists Configure Crypto Maps Set Up IKE Phase I SecurityConfigure IKE Policy for Remote Peer Create a Transform SetConfiguring VPN at Interface Mode and Setting Up RIP VPN Sample Configuration with Network Extension Mode Configuring Authentication AAAEnable Network Address Translation Create the Isakmp IKE global peer XSR Rebooting Characteristics Initialization OutputReboot Triggers Power-Up RebootBootrom Monitor Mode Commands Power-up Error ConditionsXSR-3150 bu btXSR300012.fls Verifying btXSR300012.fls file Copy Del DirFfc Remove RenameFTP Bootrom Monitor Mode Commands Specifications System SpecificationsCable, CompactFlash and Accessory Specifications WANXSR Getting Started Guide A-3 COM Console Port COMGigabitEthernet Ports Mini-GBIC Fiber, Copper PortRegulatory/Safety Compliance Copper/Fiber-optic Ethernet NIMsPort Serial NIM Card Port 21 DTEFigure A-8 EIA-232/530 DTE Pin Assignments Figure A-9 EIA-449 DTE Pin Assignments Figure A-10 Combined V.35/EIA-232/530 DTE Pin Assignments Figure A-11 DTE Pin Assignments T1/E1/ISDN PRI NIM Card Ports T1/E1/ISDN PRIBalun for E1 or PRI NIM Cards Figure A-14 Balun for E1 or PRI ConnectionInstalling Shunt/Terminal Strip Grounding Shunt for E1 NIM CardsT3/E3 NIM Card Figure A-17 1-Port T3/E3 NIM CardPort BRI-S/T Isdb NIM Card Ports Termination Shunt for the Isdn BRI-S/T NIM CardXSR Getting Started Guide A-17 Port BRI-U NIM Card Ports Figure A-21 Isdn BRI-U NIM Card RJ-49C ports shownPort Adsl NIM Card Port Figure A-23 Adsl NIM CardT1/E1 Drop & Insert D&I NIM Figure A-25 T1/E1 D&I NIM CardCompactFlash Memory Card LED BehaviorTX LED Index Index-2