Enterasys Networks X-PeditionTM manual Add ACLs to permit IP and UDP traffic

Configuration Examples

Figure 14-12 EZ-IPSec Client, XP Client and Gateway Topology

Begin by setting the XSR system time via SNTP. This configuration is critical for XSRs which use time-sensitive certificates.

XSR(config)#sntp-client server 10.120.84.3

XSR(config)#sntp-client poll-interval 60

Add ACLs to permit IP and UDP traffic:

XSR(config)#access-list 130 permit udp any any eq 500

XSR(config)#access-list 130 permit gre any any

XSR(config)#access-list 130 permit tcp any any est

XSR(config)#access-list 130 permit tcp any any eq 1723

XSR(config)#access-list 130 deny ip any any

Add ACLs for IP local pool/EZ-IPSec, Network Extension address and L2TP:

XSR(config)#access-list 110 permit ip any 10.120.70.0 0.0.0.255 XSR(config)#access-list 120 permit udp any any eq 1701 XSR(config)#access-list 140 permit ip any 172.16.1.0 0.0.0.255 XSR(config)#access-list 150 permit ip any 192.168.111.0 0.0.0.255

Define IKE Phase I security parameters with the following two policies:

XSR(config)#crypto isakmp proposal xp-soho

XSR(config-isakmp)#hash md5

XSR(config-isakmp)#lifetime 50000

XSR(config)#crypto isakmp proposal p2p

XSR(config-isakmp)#authentication pre-share

XSR(config-isakmp)#lifetime 50000

Configure IKE policy for the remote peer:

XSR(config)#crypto isakmp peer 0.0.0.0 0.0.0.0

XSR(config-isakmp-peer)#proposal xp-soho p2p

XSR(config-isakmp-peer)#config-mode gateway

XSR(config-isakmp-peer)#nat-traversal automatic

Configure the following four IPSec SAs:

XSR(config)#crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac XSR(cfg-crypto-tran)#no set security-association lifetime kilobytes

XSR User’s Guide 14-37