SROS Command Line Interface Reference Guide

Global Configuration Mode Command Set

 

 

(config)#crypto ike policy 10 (config-ike)#no local-id (config-ike)#peer 63.105.15.129 (config-ike)#initiate aggressive (config-ike)#respond anymode (config-ike)#attribute 10 (config-ike-attribute)#encryption 3des (config-ike-attribute)#hash sha (config-ike-attribute)#authentication pre-share (config-ike-attribute)#group 1 (config-ike-attribute)#lifetime 86400

Step 5:

Define the remote-id settings. The crypto ike remote-idcommand is used to define the remote-id for a peer connecting to the system, specify the preshared-key associated with the specific remote-id, and (optionally) determine that the peer matching this remote-id should not use mode config (by using the no-mode-configkeyword). See crypto ike remote-idon page 227 for more information.

(config)#crypto ike remote-id address 63.105.15.129 preshared-key

mysecret123

Step 6:

Define the transform-set. A transform-set defines the encryption and/or authentication algorithms to be used to secure the data transmitted over the VPN tunnel. Multiple transform-sets may be defined in a system. Once a transform-set is defined, many different crypto maps within the system can reference it. In this example, a transform-set named highly_secure has been created. This transform-set defines ESP with Authentication implemented using 3DES encryption and SHA1 authentication.

(config)#crypto ipsec transform-set highly_secure esp-3des esp-sha-hmac

(cfg-crypto-trans)#mode tunnel

Step 7:

Define an ip-access list. An Extended Access Control List is used to specify which traffic needs to be sent securely over the VPN tunnel. The entries in the list are defined with respect to the local system. The source IP address will be the source of the traffic to be encrypted. The destination IP address will be the receiver of the data on the other side of the VPN tunnel.

(config)#ip access-list extended corporate_traffic (config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 log

deny ip any any

Step 8:

Create crypto map. A Crypto Map is used to define a set of encryption schemes to be used for a given interface. A crypto map entry has a unique index within the crypto map set. The crypto map entry will specify whether IKE is used to generate encryption keys or if manually specified keys will be used. The crypto map entry will also specify who will be terminating the VPN tunnel, as well as which transform-set or

5991-2114

© Copyright 2005 Hewlett-Packard Development Company, L.P.

225

Page 224 Page 226
Page 225
Image 225
HP 7000 dl Router manual Copyright 2005 Hewlett-Packard Development Company, L.P 225
Page 224 Page 226
Top Page Image Contents