Configuring a Simple VPN Site-to-Site Application

configuration, permit means protect or encrypt, and deny indicates don’t encrypt or allow as is.

XSR(config)#access-list 120 permit ip 141.154.196.64 0.0.0.63 63.81.66.0 0.0.0.255

XSR(config)#access-list 130 permit ip 63.81.64.0 0.0.0.255 63.81.66.0 0.0.0.255 XSR(config)#access-list 140 permit ip 63.81.68.0 0.0.0.255 63.81.66.0 0.0.0.255

4.Set up IKE Phase 1 protection by entering the following commands:

XSR(config)#crypto isakmp proposal Test

+Designates ISAKMP proposal Test and acquires ISAKMP mode

XSR(config-isakmp)#authentication [pre-share rsa]

+Selects pre-shared key or certificates rsa-sig

XSR(config-isakmp)#encryption [aes 3des des]

+Chooses encryption algorithm

XSR(config-isakmp)#hash [md5 sha1]

+Selects hash algorithm used by IKE

XSR(config-isakmp)#group [1 2 5]

+Chooses Diffie-Hellman group

XSR(config-isakmp)#lifetime <seconds>

+Sets IKE lifetime value

5.Configure IKE policy for the remote peer. Multiple IKE proposals can be configured on each peer participating in IPSec. When IKE negotiation begins, it tries to find a common proposal (policy) on both peers with a common proposal containing exactly the same encryption, hash, authentication, and Diffie-Hellman parameters (lifetime does not necessarily have to match).

XSR(config)#crypto isakmp peer 0.0.0.0 0.0.0.0

+Configures the IKE peer IP address/subnet and acquires ISAKMP mode

XSR(config-isakmp-peer)#proposal Test

+Specifies proposal lists test1 and test2

XSR(config-isakmp-peer)#exchange mode [main aggressive]

+Selects IKE main mode

XSR(config-isakmp-peer)#nat-traversal [auto enabled disabled]

+Selects NAT traversal setting

6.Create a transform-set which adds the specified encryption/data integrity algorithms, 768-bit (Group 1) Diffie-Hellman, and your choice of an SA lifetime. You can specify an SA lifetime of seconds and kilobytes - whichever value runs out first will cause a rekey.

XSR(config)#crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac

+Names transform-set with encryption and data integrity values

XSR(cfg-crypto-tran)#set pfs group1

+Set PFS group number

XSR(cfg-crypto-tran)#set security-association lifetime [kilobytes seconds]

+Sets SA lifetime in either kilobytes or seconds

7.Configure three crypto map Test entries which correlate with specified transform-sets and ACLs 140, 130 and 120, attach the map to a remote peer, configure an independent SA for each traffic stream to a host, and select your choice of IPSec mode. Crypto map match statements render the associated ACLs bi-directional.

XSR(config)#crypto map Test 40

+Adds crypto map Test, sequence #40

XSR(config-crypto-m)#set transform-set esp-3des-sha

+Correlates map with the specified transform set

XSR User’s Guide 14-33

Page 355
Image 355
Enterasys Networks X-PeditionTM manual XSRconfig#crypto isakmp proposal Test