VPN Configuration Overview

Configure IKE policy for the remote peer, assuming that two other IKE proposals (try2 and try3) have been configured:

XSR(config)#crypto isakmp peer 192.168.57.33/32

XSR(config-isakmp-peer)#proposal try1 try2 try3

XSR(config-isakmp-peer)#config-mode gateway

XSR(config-isakmp-peer)#nat auto

Configure the IPSec transform set. You can specify both kilobyte and seconds SA lifetime values or just one. Some commands are abbreviated.

XSR(config)#crypto ipsec tr esp-3des-sha esp-3des esp-sha-hmac

XSR(cfg-crypto-tran)#set pfs group1

XSR(cfg-crypto-tran)#set sec lifetime kilobytes 500000

XSR(cfg-crypto-tran)#set sec lifetime seconds 3000

Creating Crypto Maps

A crypto map is a Security Policy Database (SPD) which filters and classifies packets as well as defines the policy applied to those packets. Filtering and classifying decides which traffic needs to be protected while policy affects the SA negotiation performed (via IKE) on behalf of that traffic.

IPSec crypto maps comprise the following:

Traffic to be protected, configured with the match address sub-command.

Which IPSec peers the protected traffic can be forwarded to, configured with the set peer sub-command. These are peers with which an SA can be negotiated.

Which transform-sets are acceptable for protecting traffic, configure with the set transform- set sub-command.

Which encapsulation type, tunnel or transport, should be used, configured with the mode sub- command.

If SAs should be sought for each source/destination host pair, configured with the set security-association level per-hostcommand. This command creates separate SAs per data stream. When it is off, each data stream passes through the same SA.

Configuring Crypto Maps

Crypto maps are sets of rules indexed by sequence number. For a given interface, certain traffic can be forwarded to one IPSec peer with specified security applied to it, and other traffic forwarded to the same or a different IPSec peer with different IPSec security applied.

The following sample crypto map highflow with rule #77 is correlated with a pre-configured transform-set and ACL 140. It is attached to a remote gateway, specifying that SAs for traffic matching this rule be requested only with the specified gateway. Per-host SAs is disabled and the default tunnel mode is left unchanged.

XSR(config)#access-list 140 permit ip 192.168.57.0 0.0.0.255 192.168.58.0 0.0.0.255

XSR(config)#crypto map highflow 77 XSR(config-crypto-m)#set transform-set esp-3des-sha XSR(config-crypto-m)#match address 40 XSR(config-crypto-m)#set peer 192.168.45.12 XSR(config-crypto-m)#no set security-association level per-host

14-24 Configuring the Virtual Private Network

Page 346
Image 346
Enterasys Networks X-PeditionTM manual Creating Crypto Maps, Configuring Crypto Maps