ADTRAN 1000R Series

Command Reference Guide Crypto Map Manual Command Set

Step 4:

Define an IP access list. An Extended Access Control List is used to specify which traffic needs to be sent

securely over the VPN tunnel. The entries in the list are defined with respect to the local system. The

source IP address will be the source of the traffic to be encrypted. The destination IP address will be the

receiver of the data on the other side of the VPN tunnel.

(config)#ip access-list extended corporate_traffic

(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 log

deny ip any any

Step 5:

Create crypto map and define manual keys. A cr ypto map is used to define a set of encryption schemes to

be used for a given in terface. A crypto ma p entry has a unique index within the crypto map set. The crypto

map entry will specify whether IKE is used to generate encryption keys or if manually specified keys will be

used. The crypto map entry will also specify who will be terminating the VPN tunnel, as well as which

transform set or sets will be used to encrypt and/or authenticate the traffic on that VPN tunnel. It also

specifies the lifetime of all created IPSec security associations.

The keys for the algorithms defined in the transform set associated with the crypto map will be defined by

using the set session -key command. A sep arate key is needed for both inbound and outbound traffic. The

key format consists of a string of hexadecimal values without the leading 0x for each character. For

example, a cipher key of this is my cipher key would be entered as:

74686973206973206D7920636970686572206B6579.

A unique Security Parameter Index (SPI) is needed for both inbound and outbound traffic. The local

system's inbound SPI and keys will be the peer's outbound SPI and keys. The local system's outbound SPI

and keys will be the peer's inbound SPI and keys. In this example the following keys and SPIs are used:

Inbound cipher SPI: 300 Inbound cipher key: "2te$#g89jnr(j!@4rvnfhg5e"

Outbound cipher SPI: 400 Outbound cipher key: "8564hgjelrign*&(gnb#1$d3"

Inbound authenticator key: "r5%^ughembkdhj34$x.<"

Outbound authenticator key: "io78*7gner#4(mgnsd!3"

(config)#crypto map corporate_vpn 1 ipsec-ike

(config-crypto-map)#match address corporate_traffic

(config-crypto-map)#set peer 63.105.15.129

(config-crypto-map)#set transform-set highly_secure

(config-crypto-map)#set session-key inbound esp 300 cipher

32746524236738396A6E72286A21403472766E6668673565 auth enticator

7235255E756768656D626B64686A333424782E3C

(config-crypto-map)#set session-key outbound esp 400 cipher

3835363468676A656C7269676E2A2628676E622331246433 authenticator

696F37382A37676E65722334286D676E73642133