Enterasys Networks X-PeditionTM EZ-IPSec Configuration

Configuring the VPN Using EZ-IPSec

XSR User’s Guide 14-35

EZ-IPSec is invoked using the crypto ezipsec command in Interface mode to create a set of

standard IPSec policies, relieving you of the complex manual process. It enables dynamic routing

over an IPSec tunnel:

• Via Client or Network Extension Mode

• Supporting RIPv2 and OSPF through the tunnel

The security policy automatically created by crypto ezipsec specifies transform-sets for IPSec

ESP using 3DES and AES encryption with SHA-1 and MD5 integrity algorithms. Also, IPSec SA

lifetimes are set to 100 MBytes and 3600 seconds - whichever value is reached first will cause a

rekey.

EZ-IPSec configuration is comprised of two components:

• Enabling EZ-IPSec security policies and attaching to a network interface using crypto

ezipsec configured on any interface other than FastEthernet (XSR 1800 Series)/

GigabitEthernet (XSR 3000 Series). Those ports are used when Network Extension Mode is

used.

• Defining a virtual interface (VPN) in point-to-point mode which initiates a tunnel to a

gateway XSR

EZ-IPSec Configuration

The commands below are used to configure a VPN interface on the XSR. The set protocol

command is needed to select the following modes:

•Client Mode. The virtual interface (interface vpn #) is assigned an address using Mode

Config and an IPSec security policy rule is inserted into the external interface's SPD securing

traffic to and from that address. NATP is enabled on the VPN interface.

•Network Extension Mode. Same as client mode except NAPT is disabled on the VPN interface

and two crypto map entries are added to the external interface SPD. One rule secures traffic to

the virtual interface's assigned address and the other secures traffic to the trusted network

interface which is assumed to be Fast/GigabitEthernet 1.

The commands below require manual configuration in conjunction with crypto ezipsec:

• interface vpn [1 -255]

• ip address negotiated

• tunnel [Tunnel Name]

• set user [username | certificate]

• set peer [My Remote VPN Server Address]

• set protocol ipsec [client-mode | network-extension-mode]

For example, configure the following Network Extension Mode tunnel:

XSR(config)#interface vpn 1 point-to-point

+ Sets VPN interface 1 to initiate a tunnel connection and acquires VPN interface mode. You must always set a Point-

to-Point tunnel at the remote site and Point-to-Multipoint tunnel at the central site

XSR(config-int-vpn)#ip address negotiated

+ Asks for dynamic virtual IP address assignment of this VPN interface by its peer

XSR(config-int-vpn)#tunnel Corporate

+ Names the site-to-site tunnel Corporate

XSR(config-tms-tunnel)#set user My_Remote_site

+ Indicates a pre-share key is being used. You must add an EZ-IPSec tunnel using the password of this user in

the AAA database