Command Reference Guide Global Configuration Mode Command Set
61200510L1-35E Copyright © 2005 ADTRAN 369
An IKE policy may specify one or more peer IP addresses that will be allowed to connect to this system. To
specify multiple unique peer IP addresses, the peer A.B.C.D command is used multiple times within a
single IKE policy. To specify that all possible peers can use a default IKE policy, the peer any command is
given instead of the peer A.B.C.D command inside of the IKE policy. The policy with the peer any
command specified will match to any peer IP address (and therefore should be given the highest numerical
priority number). This will make the policy the last one to be compared against during IKE negotiation.
(config)#crypto ike policy 10
(config-ike)#no local-id
(config-ike)#peer 63.105.15.129
(config-ike)#initiate aggressive
(config-ike)#respond anymode
(config-ike)#attribute 10
(config-ike-attribute)#encryption 3des
(config-ike-attribute)#hash sha
(config-ike-attribute)#authentication pre-share
(config-ike-attribute)#group 1
(config-ike-attribute)#lifetime 86400
Step 5:
Define the remote ID settings. The crypto ike remote-id command is used to define the remote ID for a
peer connecting to the system, specify the preshared-key associated with the specific remote ID, and
(optionally) de term in e th at th e pe e r ma tch ing this remote ID should not use mode config (by using the
no-mode-config keyword). Refer to crypto ike remote-id on page 371 for more information.
(config)#crypto ike remote-id address 63.105.15.129 preshared-key mysecret123
Step 6:
Define the transform-set. A transform set defines the encryption and/or authentication algorithms to be
used to secure the data transmitted over the VPN tunnel. Multiple transform sets may be defined in a
system. Once a transform set is defined, ma ny different c r yp to ma p s wit hin the s y stem can ref er en ce it . In
this example, a transform set named highly_secure has been created. This transform set defines ESP
with authentication implemented using 3DES encryption and SHA1 authentication.
(config)#crypto ipsec transform-set highly_secure esp-3des esp-sha-hmac
(cfg-crypto-trans)#mode tunnel
Step 7:
Define an IP access list. An extended access control list is used to specify which traffic needs to be sent
securely over the VPN tunnel. The entries in the list are defined with respect to the local system. The
source IP address will be the source of the traffic to be encrypted. The destination IP address will be the
receiver of the data on the other side of the VPN tunnel.
(config)#ip access-list extended corporate_traffic
(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 log deny ip any any