ADTRAN 1000R Series

Command Reference Guide Global Configuration Mode Command Set

Technology Review

The following example configu res an AOS

product for VPN using IKE aggressive mode with pre-shared

keys. The AOS

product can be set to initiate IKE negotiation in main mode or aggressive mode. The

product can be set to respond to IKE negotiation in main mode, aggressive mode, or an y mode. In this

example, the device is configured to initiate in aggressive mode and to respond to any mode.

This example assumes that the A OS

product has been configured with a WAN IP address of 63.97.45.57

on interface ppp 1 and a LAN IP address of 10.10.10.254 on interface ethernet 0/1. The peer private IP

Subnet is 10.10.20.0.

For more detailed information on VPN config uration , refer to the techni cal supp or t note

VPN

Configuration

Guide located on the ADTRAN OS Documentation CD provided with your unit.

Step 1:

Enter the Global configur ation mode (i.e., config terminal mode).

>enable

#configure terminal

Step 2:

Enable VPN support using the ip crypto command. This command allows crypto maps to be applied to

interfaces, and enables the IKE server to listen for IKE negotiation sessions on UDP port 500.

(config)#ip crypto

Step 3:

Set the local ID. During IKE negotiation, local IDs are exchan ged between the local device and the peer

device. In the AOS, the default setting for all local IDs are configured by the crypto ike loca l-id command.

The default setting is for all local IDs to be the IPv4 address of th e interface o ver which the IKE negotiation

is occurring. In the future, a unique system-wide hostname or fully qualified domain name could be used

for all IKE negotiation.

(config)#crypto ike local-id address

Step 4:

Create IKE policy. In order to use IKE negotiation, an IKE policy must be created. Within the system, a list

of IKE policies is maintained. Each IKE policy is given a priority number in the system. That priority number

defines the position of that IKE policy within the system list. When IKE negotiation is needed, the system

searches through the list, starting with the policy with priority of 1, looking for a match to the peer IP

address.

An individual IKE policy can override the system local ID setting by having the local-id command specified

in the IKE policy definition. This command in the IKE policy is used to specify the type of local ID and the

local ID dat a. The type can be of IPv4 address, fully qualifie d domain name, or user-specified fully qualified

domain name.