VPN Sample Configuration with Network Extension Mode
3-32 Software Configuration
Create user(s), specify an IP from virtual subnet, and assign a password:
XSR(config)#aaa user nem-test
XSR(config)#password welcome
XSR(config)#aaa user jeffb
XSR(config)#password welcome
Check to make sure the transforms and proposals were created properly:
XSR#show crypto ipsec transform-set
Name PFS ESP ESP-AH AH IPCOMP
---- --- --- ------ -- ------
*ez-esp-3des-sha-pfs Modp768 3DES HMAC-SHA None None
*ez-esp-3des-sha-no-pfs Disabled 3DES HMAC-SHA None None
*ez-esp-3des-md5-pfs Modp768 3DES HMAC-MD5 None None
*ez-esp-3des-md5-no-pfs Disabled 3DES HMAC-MD5 None None
*ez-esp-aes-sha-pfs Modp768 AES HMAC-SHA None None
*ez-esp-aes-sha-no-pfs Disabled AES HMAC-SHA None None
*ez-esp-aes-md5-pfs Modp768 AES HMAC-MD5 None None
*ez-esp-aes-md5-no-pfs Disabled AES HMAC-MD5 None None
XSR#show crypto isakmp proposal
Name Authentication Encrypt Integrity Group Lifetime
---- -------------- ------- --------- ----- --------
*ez-ike-3des-sha-psk PreSharedKeys 3DES HMAC-SHA Modp1024 28800
*ez-ike-3des-md5-psk PreSharedKeys 3DES HMAC-MD5 Modp1024 28800
*ez-ike-3des-sha-rsa RSASignature 3DES HMAC-SHA Modp1024 28800
*ez-ike-3des-md5-rsa RSASignature 3DES HMAC-MD5 Modp1024 28800
Create the ISAKMP IKE global peer:
XSR#crypto isakmp peer 0.0.0.0 0.0.0.0
XSR#config-mode gateway
XSR#exchange-mode aggressive
XSR#proposal ez-ike-3des-sha-psk ez-ike-3des-md5-psk
Create the ACL for trusted subnet of the XSR and virtual subnet of XSR:
XSR(config)#access-list 101 permit ip any 10.11.11.0 0.0.0.255
XSR(config)#access-list 102 permit ip any 10.12.12.0 0.0.0.255
XSR(config)#access-list 103 permit ip any 10.10.10.0 0.0.0.255
Create crypto map statements for each ACL entry with the more protective tunnel mode set by default. Match statements render the associated ACLs bi-directional:
XSR(config)#crypto map test 101
XSR(config)#set transform-set ez-esp-3des-sha-pfs
XSR(config)#match address 101
XSR(config)#crypto map test 102
XSR(config)#set transform-set ez-esp-3des-sha-pfs
XSR(config)#match address 102
XSR(config)#crypto map test 103
XSR(config)#set transform-set ez-esp-3des-sha-pfs
XSR(config)#match address 103