Configuration Examples

XSR(config-tms-tunnel)#ip ospf dead-interval 4

XSR(config-tms-tunnel)#ip ospf hello-interval 1

XSR(config-tms-tunnel)#ip ospf cost 100

9.Configure a default static route to the next hop Internet router:

XSR(config)#ip route 0.0.0.0 0.0.0.0 63.81.64.1

10.Enable OSPF on the trusted and VPN interfaces:

XSR(config)#router ospf 1

XSR(config-router)#network 10.120.84.0 0.0.0.255 area 0.0.0.0 XSR(config-router)#network 192.168.1.0 0.0.0.255 area 0.0.0.0

Tunnel B: XSR-1805 VPN GRE Site-to-Site Tunnel

This configuration shows an example of a single GRE over IPSec tunnel between an XSR-3250 and an XSR-1805 using IKE shared secrets for authentication.

1.Repeat Steps 1 and 2 as described in Tunnel A configuration.

2.Specify the IP address for any remote peer to have an IKE conversation with using the ISAKMP proposal shared:

XSR(config)#crypto isakmp peer 0.0.0.0 0.0.0.0 XSR(config-isakmp-peer)#proposal shared

3.Specify the same set of IPSec security parameters as in Step 4.

4.Create crypto map gre allowing IPSec transport mode traffic matching the GRE ACL created above. The crypto map also allows the use of any of the three IPSec security parameters (aes- md5, 3des-md5,3des-sha) created above. Be aware that the peer address is set to the public Internet address terminating the GRE tunnel.

XSR(config)#crypto map gre 191

XSR(config-crypto-m)#set transform-set aes-md5 3des-md5 3des-sha XSR(config-crypto-m)#match address 190 XSR(config-crypto-m)#set peer 63.81.64.101 XSR(config-crypto-m)#mode transport XSR(config-crypto-m)#set security-association level per-host

!

XSR(config)#crypto map gre 190

XSR(config-crypto-m)#set transform-set aes-md5 3des-md5 3des-sha XSR(config-crypto-m)#match address 190 XSR(config-crypto-m)#set peer 63.81.64.100 XSR(config-crypto-m)#mode transport XSR(config-crypto-m)#set security-association level per-host

5.Add FastEthernet interface 1 as the trusted or private VPN interface - it is connected to the remote network.

XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip address 172.16.84.1 255.255.255.0 XSR(config-if<F1>)#ip firewall disable XSR(config-if<F1>)#no shutdown

6.Add FastEthernet interface 2 as the external or public VPN interface - it is directly connected to the Internet. Attach crypto map gre to this interface to allow IKE and IPSec traffic processing.

XSR(config)#interface fastethernet 2 XSR(config-if<F2>)#crypto map gre

14-42 Configuring the Virtual Private Network

Page 364
Image 364
Enterasys Networks X-PeditionTM manual Tunnel B XSR-1805 VPN GRE Site-to-Site Tunnel