Manuals / Enterasys Networks / Computer Equipment / Network Router

Enterasys Networks XSR-3020 manual Generate Master Encryption Key, Configure Access Control Lists

Models: XSR-3020

1 110
Download 110 pages 4.16 Kb
Page 71
Image 71
Generate Master Encryption Key

VPN Site-to-Site Sample Configuration

Generate Master Encryption Key

If you have not already generated a master encryption key, you must do so now to configure the VPN. A master key need only be generated once.

Caution: The master encryption key is stored in hardware, not Flash, and you cannot read the key - only overwrite the old key by writing a new one. To ensure router security, it is critical not to compromise the key. There are situations where you may want to keep the key, for example, to save the user database off-line in order to later download it to the XSR. In order to encrypt the user database, you need the same master key, indicating the key designation with the master key specify command. Be aware that if the XSR is inoperable you may have to return to factory defaults, which erases the master key forcing you to generate a new one.

Generate the master key:

XSR(config)#crypto key master generate

New key is 2173 4521 3764 2ff5 163b 4bdf fe92 dbc1 1232 ffe0 f8d9 3649

Configure Access Control Lists

ACL 101 configured below is strongly restrictive in denying all but IKE traffic (well-knownACL #

500)through the router. ACLs 190, 191, and 192 are crypto map filters configured to accept any IPSec-encrypted traffic over site-to-site tunnels and pass that traffic to the three specified networks only.

XSR(config)#access-list 101 permit udp any any eq 500

XSR(config)#access-list 101 permit udp esp any any

XSR(config)#access-list 101 permit udp ah any any

XSR(config)#access-list 101 deny ip any any

XSR(config)#access-list 190 permit ip any 112.16.72.0 0.0.0.255

XSR(config)#access-list 191 permit ip any 112.16.76.0 0.0.0.255

XSR(config)#access-list 192 permit ip any 112.16.80.0 0.0.0.255

Set Up IKE Phase I Security

The following proposal sets pre-shared authentication and MD5 hashing:

XSR(config)#crypto isakmp proposal acme

XSR(config-isakmp)#authentication pre-share

XSR(config-isakmp)#hash md5

Configure IKE Policy for Remote Peer

The following proposal specifies the XSR’s remote peer IP address as any peer matching its IKE policy, sets NAT to automatically detect routers performing NAT between tunnel endpoints and directs the XSR to switch on UDP encapsulation when found.

It also designates the peer as a gateway which will initiate the configuration mode in terms of IKE negotiation:

XSR(config)#crypto isakmp peer 0.0.0.0 0.0.0.0

XSR(config-isakmp-peer)#proposal acme

XSR(config-isakmp-peer)#config-mode gateway

XSR(config-isakmp-peer)#nat-traversal automatic

XSR Getting Started Guide 3-27

Page 70 Page 72
Page 71
Image 71
Enterasys Networks XSR-3020 Generate Master Encryption Key, Configure Access Control Lists, Set Up IKE Phase I Security
Page 70 Page 72