VPN Configuration Overview

Enter crypto key master generate in Global configuration mode.

Caution: The master encryption key is stored in hardware, not Flash, and you cannot read the key - only overwrite the old key by writing a new one. To ensure router security, it is critical not to compromise the key. There are situations where you may want to keep the key, for example, to save the user database off-line in order to later download it to the XSR. In order to encrypt the user database, you need the same master key, indicating the key designation with the master key specify command. Be aware that if the XSR is inoperable and you press the Default button (on the XSR 1800 Series only), the master key is erased and you must generate a new one.

ACL Configuration Rules

Consider a few general rules when configuring ACLs on the XSR:

Typically, two ACL sets are written, one to filter IPSec/IKE traffic (defined in crypto maps), and a simple set to filter non-IPSec traffic.

When crypto maps and ACLs are configured on the same interface, the XSR gives precedence to the crypto map, which is always consulted before the ACL for both inbound and outbound traffic. If IPSec encrypts or decrypts packets by virtue of a crypto map configuration, then the ACL is ignored.

ACLs entered independently are uni-directional but are used in a bi-directional fashion when later associated with a crypto map through the match address <acl #> command. For more information on the command, refer to the CLI Reference Guide.

A total of 500 ACL entries are permitted by the XSR with 64 MBytes of RAM installed (99 ACL limit for IKE/IPSec).

Configuring ACLs

Three simple ACL examples illustrating various CLI options are detailed below. Other crypto map ACLs, defined in greater detail, are configured later in this chapter.

The first ACL example is fairly restrictive. It configures ACL 101 to permit IKE (UDP port 500), GRE, and TCP traffic on any internal host to pass to host 192.168.2.17 (denying all other traffic) and ACL 102 to permit the same type of traffic on that host to connect to any address (denying all other traffic).

The commands on FastEthernet port 2 set ACL 101 to filter inbound traffic, and ACL 102 to filter outbound traffic. Some commands are abbreviated.

XSR(config)#access-list 101 permit udp any host 192.168.2.17 eq 500 XSR(config)#access-list 101 permit gre any host 192.168.2.17 XSR(config)#access-list 101 permit tcp any host 192.168.2.17 established XSR(config)#access-list 101 deny ip any any

XSR(config)#access-list 102 permit udp host 192.168.2.17 any eq 500 XSR(config)#access-list 102 permit gre host 192.168.2.17 any XSR(config)#access-list 102 permit tcp host 192.168.2.17 any eq 80 XSR(config)#access-list 102 permit ip host 192.168.2.17 any XSR(config)#access-list 102 deny ip any any

XSR(config)#interface FastEthernet2

XSR(config-if<F2>)#no shutdown

XSR(config-if<F2>)#ip access-group 101 in

XSR(config-if<F2>)#ip access-group 102 out

XSR User’s Guide 14-21

Page 343
Image 343
Enterasys Networks X-PeditionTM manual ACL Configuration Rules, Configuring ACLs