Example 4 IPSec remote access | Black Box LR1114A-T1/E1 specs

Example 4: IPSec remote access

Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 2> encryption_algorithm aes256-cbc

Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 2> exit Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> exit

Black Box1/configure/crypto> exit Black Box1/configure>

Step 8: Display the IPSec policies

Use the show crypto ipsec policy all command.

Step 9: Repeat steps 1 - 8 with suitable modifications on Black Box2 prior to passing bi-directional traffic.

Step 10: Test the IPSec tunnel between Black Box1 and Black Box2 by passing traffic from the 10.0.1.0 network to the 10.0.2.0 network

Step 11: After traffic is passed through the tunnel, display the IKE and IPSec SA tables.

Use the show crypto ike sa all and show crypto ipsec sa all commands.

4.5Example 4: IPSec remote access to corporate LAN using user group method

The following example demonstrates how to configure a Black Box router to be an IPSec VPN server using user group method with extended authentication (XAUTH) for remote VPN clients. The client could be any standard IPSec VPN client.

In this example, the client needs to access the corporate private network 10.0.1.0/24 through the VPN tunnel. The security requirements are as follows:

Phase 1: 3DES with SHA1, Xauth (Radius PAP)

Phase 2: IPSec ESP tunnel with AES256 and HMAC-SHA1

VPN Client 1

Local Address: Dynamic

Local ID:

david@tasmannetworksblackbox.com.

com

blackbox 1

	NNEL
C TU
IPSE

IPSEC TUNNEL

Corporate

VPN Server 172.16.0.1

Headquarters

10.0.1.0/24

VPN Client 2

Local Address: Dynamic

Local ID:

mike@tasmannetworksblackbox.com .

com

Step 1: As in Step1 of Example 1

35

Image 33

Black Box LR1114A-T1/E1, LR1112A-T1/E1, LR1104A-T1/E1, LR1102A-T1/E1 manual Example 4 IPSec remote access, As in of Example

Contents

Black Box LR11xx Series Router Configurations Black Box LR11xx Series Router Configurations Guide Instrucciones DE Seguridad Normas Oficiales Mexicanas NOM Electrical Safety Statement Black Box LR11xx Series Router Configurations Guide Contents Ipsec Specifications Ultipath M Ulticast C Onfigurations 107 101117 119 WAN I Nterface C Onfigurations Black Box LR11xx Series Router Configurations Guide Bootp Requests Feature Overview1DHCP Relay Functionality Command Line Interface Using Dhcp Relay with NATBootp Replies Enabling Dhcp Relay Configuring the Gateway Address field when NAT is enabled Displaying Dhcp ConfigurationDisplaying Statistics Dhcp Relay Displaying Ethernet Interface Statistics Dhcp Limitations 1IGMP Configuration Configuring Internet Group Management Protocol Igmp Commands Igmp Configuration ExamplesExample 2.10Example Igmp Configuration2.11Example 2.12Example Black Box LR11xx Series Router Configurations Guide Blackbox configure term Blackbox/configure ip Configure the Black Box LR1104AFiltering IP Traffic 1IP Packet Filter Lists Blackbox/configure/ip applyfilter WAN1 filterb Blackbox configure terminal Blackbox/configure ipBlackbox/configure/ip applyfilter WAN1 filterc Example 1IPSec Configurations Configuring Security Display the crypto interfaces Example 1 Managing the Black Configure IKE to the peer gateway Permit SE Enable Snmp on the Black Box1 router Display Snmp communities Example 2 Single Proposal Tun Configure IPSec tunnel to the remote host Using the show crypto ipsec policy all command 1022 Out Any Black Box1 Show firewall policy corp detail Policy with Example 3 Multiple IPSec Pro Message Proposal added with priority2-esp-3des-sha1-tunnel As in of Example Example 4 IPSec remote access Display dynamic IKE policies in detail Configure dynamic IPSec policy for a group of mobile users Display dynamic IPSec policies in detail Display dynamic IPSec policies Lifetime in Kilobytes Bytes In 0, Bytes Out Permit E Display dynamic IKE policies Example 5 IPSec remote access Display dynamic IKE policies in detail Permit 20.1.1.150 1022 Out Any Example 5 IPSec remote access Black Box LR11xx Series Router Configurations Guide 1IPSec Appendix Ipsec Specifications Black Box IKE and IPSec Defaults IKE DefaultsIPSec Defaults ESP IPSec Appendix Black Box LR11xx Series Router Configurations Guide 1IP Multiplexing Forwarding IP TrafficPacket Forwarding Modes Proxy ARP and Packet Forwarding Proxy ARP and Packet Forwarding Addressing in IP Multiplexing Networks Single Subnet Split SubnetIP Multiplexing Secondary Addressing 30 Bit Secondary Addressing POP Only Secondary Addressing 29 Bit Pros and Cons of Different IP Addressing SchemesRouting Considerations for IP Multiplexing Black Box LR11xx Series Router Configurations Guide 1Connecting a Black Box Router to a Router/CSU Via Hdlc IP Multiplexing Hdlc Configurations Configuration Guide Configure the Black Box LR1104A at Site 1Configuring Multiple PPP and Mlppp Bundles IP Multiplexing PPP and Mlppp Configurations LR1104A Configuring Multiple PPP Configure the Black Box LR1104A at the Main Site Black Box LR11xx Series Router Configurations Guide 1Layer Two Configurations PPP, MLPPP, Configuring PPP, MLPPP,LR1114A LR1104A PPP and Mlppp Configuration Mlppp ConfigurationHdlc Configuration Configure the Black Box LR1114A System at Site 10.1Firewalls Configuring Firewalls Basic Firewall Configuration Firewall Configuration Examples Create policies for Security Zone Corp that Create the security zones Corp and DMZ and attach interfaces Create policies for Security Zone DMZ that Verify the firewall policy for Security Zone Corp Verify the firewall policy for Security Zone DMZ Create a default route out of the WAN Black Box LR11xx Series Router Configurations Guide Firewall Configuration Ex Black Box LR11xx Series Router Configurations Guide Stopping DoS Attacks NAT Configurations NAT Configuration ExamplesPacket Reassembly Dynamic NAT many to many NAT Configuration Examples Static NAT Static NAT one to one Method1 Specifying NAT address with the policy command 10.4.3Port Address Translation Many to oneMethod2 Attaching nat pool to the policy Black Box LR11xx Series Router Configurations Guide 11.1Multipath Multicast Multipath Multicast Configurations 11.2.1Multipath Examples 11.2Multipath Commands 12.1Network Address Translation Configuring NATDynamic NAT Static NAT Dynamic and Static NAT Configuration for Figure 12.1.4Configuration for Figure Reverse NATNetwork Address Translation Reverse NAT Blackbox configure terminal 13.1.1Dynamic NAT many to many NAT Configuration Examples 60.1.1.1 13.1.2Static NAT one to one 13.1.3Port Address Translation Many to one Secure Remote Access Using IPSec VPN Remote Access VpnsAccess Methods Remote Access User Group Remote Access Mode Configuration Configuration Examples Black Box #1 IPSec Remote Access User David@blackboxcom .com IPSec Remote Access Mode Configuration Group Method Mike@Blackbox.com IPSec Remote Access Mode Con Black Box LR11xx Series Router Configurations Guide 15.1.2Displaying RIP Configuration 15.1.1Configuring RIP for Ethernet 0 and WAN 1 Interfaces15.1.3Displaying All Configured RIP Interfaces Networking with Routing Information Protocol Show ip rip interface all Command Static Routing Configuration Configuring Static Routes 16.1.1Configure the Router at Site a 16.1.2Configure the Router at site BBlackbox/configure ip route 0.0.0.0 0.0.0.0 10.1.1.2 17.1.1Configuring the host name Configuring Open Shortest Path First Routing17.1.2Configuring interface ethernet 17.1.3Configuring interface bundle Dallas 17.1.5Configuring ospf interface parameters 17.1.4Configuring ospf17.1.6Displaying neighbors 17.1.7Displaying ospf routes Configuring Generic Routing Encapsulation Configuring GREInstalling Licenses GRE Configuration Examples GRE Configuration Examples 18.3.1Configuring Site to Site Tunnel For more information enter Configuring GRE Site to Site with Configuring GRE Site to Site with IPSec Add to the Cisco configuration above Configuring GRE Site to Site with IPSec and Ospf Ospf Frame Relay Configuring Ospf and Frame Relay 19.1.2Configuring interface ethernet 19.1.1Configuring the host name19.1.3Configuring interface bundle Dallas 19.1.4Configuring Ospf Configuring Protocol Independent Multicasting Routing PIM Configuration20.1.1PIM Commands Bootstrap Router related Commands Show and debug PIM commands are PIM Configuration Blackbox/configure/ip/pim register-suppress-timeout 20.1.2PIM Configuration Examples Blackbox/configure display ip pim global Blackbox/configure display ip pim neighbors Blackbox clear ip pim statistics 116 21.1.1mtrace Command Mtrace ConfigurationMulticast Traceroute Facility Restrictions Blackbox mtrace 192.168.0.0 192.168.2.22 Mtrace Example Configuring Quality of Service Routing Configuring QoS22.1.1Features 22.1.3Classification Types 22.1.2Definitions Vlan Identifiers Configuring QoSCreate bundle AppTest Create traffic classes 22.1.5Bulk Statistics Create bundle VLANtestCreate traffic classes and assign classifications Configuring bulk statistics Screen Display for show qos bulkstatsconfig Command 124 Managing Traffic with Vlan Tagging Virtual LAN Tagging # The POP router is 205.1.1.1/30 Reston configuration Black Box LR1104A Managing Traffic with Vlan Tag DC configuration Black Box LR1114A 128 24.1.1Configuration Details Managing Redundant ConnectionsTrunk Group/Failover Configure the Black Box LR1114A for Failover Operation 25.1 T1 Interface Configuration WAN Interface Configurations25.1.1Module Configuration Bundle Configuration Configure a T1 PPP Bundle Configure a Fractional T1 Hdlc BundleBlackbox/configure interface bundle demo2 Configure an N x T1 Mlppp Bundle Managing Vlan Traffic Virtual LAN Forwarding 134 26.1.1POP configuration Black Box LR1104A 26.1.2Bldg1 configuration Black Box LR1114AManaging Vlan Traffic Configure interface bundle uplink Configure Snmp10 br Features Mutlilink Frame Relay27.1Multilink Frame Relay FRF.15 and FRF.16 27.1.1.2 # Configure CVC1 27.1.1.1 # Configure Ethernet interface27.1.1.4 # Configure CVC3 27.1.1.5 #Configure AVC Layer Two Configurations FR and MFR Configuring Frame Relay Multilink Frame Relay Configure the Hssi Bundle at Site FR Configuration Layer Two Configurations FR MFR ConfigurationConfigure the Clear Channel Bundle on the LR1104A Configure the LR1104A LR1104A at Site 142 Copyright 2004. Black Box Corporation. All rights reserved