Brocade Communications Systems RFS4000, RFS6000, RFS7000 Use the commands below to configure IPSec VPN on the controller:

Brocade Mobility RFS4000, RFS6000 and RFS7000 CLI Reference Guide 241

53-1001931-01

Global Configuration commands 5

In case the client is VPN enabled, it initiates a connection with the VPN server on our controller, the

“conversation” that occurs between the peers consists of device authentication via Internet Key

Exchange (IKE), followed by user authentication using IKE Extended Authentication (Xauth), push

client relate configuration (using Mode Configuration), and IPsec security association (SA) creation.

Depending on the controller IPSec configuration (as discussed in the previous sections), the client

establishes an IKE SA, and if the controller is configured for Xauth, the client waits for a

"username/password" challenge and then responds to the challenge of the controller.

If the controller indicates that authentication is successful, the client requests further configuration

parameters from the controller. At this stage, the private IP address (mode-config) is pushed to the

client from a private address pool, configured for remote VPN clients. IPsec SA’s are created and

the connection is complete.

Once the client has got a virtual IP, further packets from the client within the IPSec tunnel are

routed to the corresponding VLAN interface (in our case vlan3), and the client gets access to the

network. The IPSec tunnel is only between the client and the controller. After that the packets on

the trusted side are sent without encry ption.

NOTE

The example below is for a IPSec-L2TP connection over a wireless client. Use a windows default

client for this configuration.

1. Create and configure a WLAN.

RFController(config)#

RFController(config)#wireless

RFController(config-wireless)#wlan 2 enabl e

RFController(config-wireless)#wlan 2 ssid MONARCH2

RFController(config-wireless)#wlan 2 vlan 2

2. Create and configure DHCP.

RFController(config)#ip dhcp pool vlan2

RFController(config-dhcp)#address range 10.1.1 .2 10.1.1.254

RFController(config-dhcp)#default-router 1 0.1.1.1

RFController(config-dhcp)#network 10.1.1.0/2 4

3. Create and configure a VLAN interface named vlan2.

RFController(config)#interface vlan2

RFController(config-if)#ip address 10.1.1. 1/24

4. Create and configure another VLAN interface named vlan3.

RFController(config)#interface vlan 3

RFController(config-if)#ip address dhcp

Use the commands below to configure IPSec VPN on the controller:

1. Create an Extended ACL.

RFController(config-ext-nacl)#ip access-li st extended 101

2. Configure the local subnet and remote subnet as interesting traffic.

RFController(config-ext-nacl)# permit ip 1 0.1.1.0/24 any

RFController(config-ext-nacl)# permit ip 1 92.168.0.0/24 any

3. Configure a private pool address.

RFController(config)# ip local pool lo 192 .168.0.2 hi 192.168.0.10

4. Specify DNS/WINS for the remote client.