SROS Command Line Interface Reference Guide

Crypto Map Manual Command Set

 

 

Step 5:

Create crypto map and define manual keys. A Crypto Map is used to define a set of encryption schemes to be used for a given interface. A crypto map entry has a unique index within the crypto map set. The crypto map entry will specify whether IKE is used to generate encryption keys or if manually specified keys will be used. The crypto map entry will also specify who will be terminating the VPN tunnel, as well as which transform-set or sets will be used to encrypt and/or authenticate the traffic on that VPN tunnel. It also specifies the lifetime of all created IPSec Security Associations.

The keys for the algorithms defined in the transform-set associated with the crypto map will be defined by using the set session-keycommand. A separate key is needed for both inbound and outbound traffic. The key format consists of a string of hexadecimal values without the leading 0x for each character. For example, a cipher key of this is my cipher key would be entered as:

74686973206973206D7920636970686572206B6579.

A unique Security Parameter Index (SPI) is needed for both inbound and outbound traffic. The local system's inbound SPI and keys will be the peer's outbound SPI and keys. The local system's outbound SPI and keys will be the peer's inbound SPI and keys. In this example the following keys and SPIs are used:

Inbound cipher SPI: 300Inbound cipher key: "2te$#g89jnr(j!@4rvnfhg5e"

Outbound cipher SPI: 400Outbound cipher key: "8564hgjelrign*&(gnb#1$d3"

Inbound authenticator key:"r5%^ughembkdhj34$x.<"

Outbound authenticator key:"io78*7gner#4(mgnsd!3"

(config)#crypto map corporate_vpn 1 ipsec-ike (config-crypto-map)#match address corporate_traffic

(config-crypto-map)#set peer 63.105.15.129

(config-crypto-map)#set transform-set highly_secure

(config-crypto-map)#set session-key inbound esp 300 cipher 32746524236738396A6E72286A21403472766E6668673565 authenticator 7235255E756768656D626B64686A333424782E3C

(config-crypto-map)#set session-key outbound esp 400 cipher 3835363468676A656C7269676E2A2628676E622331246433 authenticator 696F37382A37676E65722334286D676E73642133

Step 6:

Configure public interface. This process includes configuring the IP address for the interface and applying the appropriate crypto map to the interface. Crypto maps are applied to the interface on which encrypted traffic will be transmitted.

(config)#interface ppp 1

(config-ppp 1)#ip address 63.97.45.57 255.255.255.248 (config-ppp 1)#crypto map corporate_vpn (config-ppp 1)#no shutdown

Step 7:

Configure private interface to allow all traffic destined for the VPN tunnel to be routed to the appropriate

5991-2114

© Copyright 2005 Hewlett-Packard Development Company, L.P.

413

Page 413
Image 413
HP 7000 dl Router manual 74686973206973206D7920636970686572206B6579