Configuration Examples

Figure 14-12 EZ-IPSec Client, XP Client and Gateway Topology

Branch Office

 

Central Site

EZ-IPSec client

 

Terminates EZ-IPSec Client Mode

 

PPPoE

 

Terminates L2TP/IPSec clients

 

Internet

 

 

 

interface

FastEthernet 2

XSR

 

 

 

141.154.196.87

Robo6

FastEthernet 1

XSR

 

 

 

172.16.1.1

RoboPez

 

CA server

 

 

 

 

FastEthernet 1

 

 

 

 

10.120.112.6

 

 

Remote Access

 

 

Windows XP - L2TP/IPSec or PPTP Client

 

Begin by setting the XSR system time via SNTP. This configuration is critical for XSRs which use time-sensitive certificates.

XSR(config)#sntp-client server 10.120.84.3

XSR(config)#sntp-client poll-interval 60

Add ACLs to permit IP and UDP traffic:

XSR(config)#access-list 130 permit udp any any eq 500

XSR(config)#access-list 130 permit gre any any

XSR(config)#access-list 130 permit tcp any any est

XSR(config)#access-list 130 permit tcp any any eq 1723

XSR(config)#access-list 130 deny ip any any

Add ACLs for IP local pool/EZ-IPSec, Network Extension address and L2TP:

XSR(config)#access-list 110 permit ip any 10.120.70.0 0.0.0.255 XSR(config)#access-list 120 permit udp any any eq 1701 XSR(config)#access-list 140 permit ip any 172.16.1.0 0.0.0.255 XSR(config)#access-list 150 permit ip any 192.168.111.0 0.0.0.255

Define IKE Phase I security parameters with the following two policies:

XSR(config)#crypto isakmp proposal xp-soho

XSR(config-isakmp)#hash md5

XSR(config-isakmp)#lifetime 50000

XSR(config)#crypto isakmp proposal p2p

XSR(config-isakmp)#authentication pre-share

XSR(config-isakmp)#lifetime 50000

Configure IKE policy for the remote peer:

XSR(config)#crypto isakmp peer 0.0.0.0 0.0.0.0

XSR(config-isakmp-peer)#proposal xp-soho p2p

XSR(config-isakmp-peer)#config-mode gateway

XSR(config-isakmp-peer)#nat-traversal automatic

Configure the following four IPSec SAs:

XSR(config)#crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac XSR(cfg-crypto-tran)#no set security-association lifetime kilobytes

XSR User’s Guide 14-37

Page 359
Image 359
Enterasys Networks X-PeditionTM manual Add ACLs to permit IP and UDP traffic, Configure IKE policy for the remote peer