VPN configuration, Chapter contents | Patton electronic 2800

Chapter 6	VPN configuration
Chapter contents
Introduction		68
Authentication		68
Encryption		68
Transport and tunnel modes		69
VPN configuration task list		69
Creating an IPsec transformation profile		69
Creating an IPsec policy profile		70
Creating/modifying an outgoing ACL profile for IPsec		72
Configuration of an IP interface and the IP router for IPsec		73
Displaying IPsec configuration information		73
Debugging IPsec		74
Sample configurations		75
IPsec tunnel, DES encryption		75
OnSite configuration		75
Cisco router configuration		76
IPsec tunnel, AES encryption at 256 bit key length, AH authentication with HMAC-SHA1-96		76
OnSite configuration		76
Cisco router configuration		77
IPsec tunnel, 3DES encryption at 192 bit key length, ESP authentication with HMAC-MD5-96		77
OnSite configuration		77
Cisco router configuration		77

67

Image 67

Patton electronic 2800 user manual VPN configuration, Chapter contents

Contents

Managed VPN Router Mailsupport@patton.com Summary Table of Contents Table of Contents Getting started with the OnSite Managed VPN Router VPN configuration LEDs status and monitoring 112 Cabling 124 OnSite 2800 Series factory configuration 132 List of Figures List of Tables Audience About this guideStructure Impaired functioning Precautions Safety when working with electricity General observations General conventions Typographical conventions used in this document General information Chapter contents OnSite Managed VPN Router 2805 shown OnSite Model 2800 Series overview OnSite 2800 Series model codes OnSite 2800 Series detailed description DMZ Model code extensions OnSite 2800 Series power input connectors OnSite 2800 Series rear-panel ports are described in table Ports descriptions Applications overview Corporate multi-function virtual private network Corporate multi-function virtual private network General information Hardware installation Create a network diagram see section Network information on Planning the installation Installation checklist IP related information Power sourceSite log Network information Location and mounting requirements Installing the VPN routerConnecting cables Installing the Ethernet cable Connecting an OnSite 2800 Series device to a hub Installing the serial WAN cable DCD Hardware installation Rear panel of 2803K/EUI Rear panel of 2803K/UI Pins not listed are not used Power connector location on rear panel Connecting to external power source UI and EUI power supplies automatically adjust to accept an Getting started with the OnSite Managed VPN Router Introduction Configure IP address Terminal emulation program settings 9600 bps No parity Bit Configure IP addressPower connection and default configuration All Ethernet interfaces are activated upon power-up Changing the IP address LoginSelect the context IP mode to configure an IP interface Stop bit No flow control Connect the OnSite VPN Router to the network Load configurationRespectively from the host ping Load configuration Serial port configuration Disabling an interface Serial port configuration task list Enabling an interface Example Configuring the serial encapsulation type Configuring the encapsulation for Frame RelayPort Configuring the LMI type Enter Frame Relay mode Entering Frame Relay PVC configuration mode Configuring the keep-alive interval Binding the Frame Relay PVC to IP interface Configuring the PVC encapsulation type Mode PVC Disabling a Frame Relay PVC Enabling a Frame Relay PVC CRC Displaying serial port information Dlci Displaying Frame Relay information Integrated service access Port Configure the serial interface settings Check that the Frame Relay settings are correct Configure the introduced PVCs T1/E1 port configuration Enable/Disable T1/E1 port T1/E1 port configuration task list Configuring T1/E1 line-code Mode port e1t1 slot portConfiguring T1/E1 port-type Configuring T1/E1 clock-mode Name prt-e1t1 slot/port# framing Configuring T1/E1 framingConfiguring T1/E1 line-build-out T1 only Configuring T1/E1 used-connector E1 only Default short-haul Configuring T1/E1 application modeConfiguring T1/E1 LOS threshold Configuring T1/E1 encapsulation Configuring Channel-Group Encapsulation Be used Mode port e1t1 slot portConfiguring Channel-Group Timeslots Mode channel-group group-name Default no encapsulation Configuring Hdlc CRC-TypeConfiguring Hdlc Encapsulation T1/E1 Configuration Examples Example 1 Frame Relay without a channel-group Example 3 PPP without a channel-group Example 2 Framerelay with a channel-groupExample 4 PPP with a channel-group VPN configuration Encryption Authentication Transport and tunnel modes VPN configuration task listCreating an IPsec transformation profile Creating an IPsec policy profile Procedure To create an IPsec policy profile Nodecfg#profile ipsec-policy-man Creating/modifying an outgoing ACL profile for IPsec Displaying IPsec configuration information Configuration of an IP interface and the IP router for IPsec Example IPsec Debug Output Example Display IPsec transformation profilesExample Display IPsec policy profiles Debugging IPsec OnSite configuration Sample configurationsIPsec tunnel, DES encryption Cisco router configuration Cisco router configuration VPN configuration Access control list configuration What access lists do About access control listsWhy you should configure access lists Features of access control lists When to configure access lists Mapping out the goals of the access control list Access control list configuration task list Nodepf-acl name#permit ip src src-wildcard any Src-wildcard Where the syntax is Any host src dest dest-wildcard any host dest Nodepf-acl name#permit icmp src src-wildcard anyType type type type code code cos group Nodepf-acl name#deny icmp src src-wildcard Msg name Where the syntax is as following Nodepf-acl name#deny tcp udp sctp src src Nodepf-acl name#permit tcp udp sctp src src-wildCard any host src eq port gt port lt port range Port lt port range from to cos group cos-rtp group Group-data Where the syntax is Displaying an access control list profile Unbind an access control list profile from an interfaceDebugging an access control list profile Control list profile shall be debugged Denying a specific subnet Examples Link scheduler configuration Configuring access control lists Using traffic classes Configuring quality of service QoSApplying scheduling at the bottleneck Introduction to Scheduling Weighted fair queuing WFQPriority Burst tolerant shaping or wfq ShapingHierarchy Quick references Setting the modem rateSome explanations Command cross reference Link scheduler configuration task list Packet classification Defining the access control list profile Scenario with Web server regarded as a single source host Creating an access control list Nodepf-acl name#permit ip any any Creating a service policy profileNodecfg#profile acl name Nodepf-acl name#permit ip host ip-address any traffic-class Structure of a Service-Policy Profile Specifying the handling of traffic-classes Defining fair queuing weight Defining the maximum queue length Specifying the type-of-service TOS fieldDefining the bit-rate Defining absolute priority Nodesrc name#set ip precedence value Specifying differentiated services codepoint Dscp markingSpecifying the precedence field Nodesrc name#set ip tos value Nodesrc name#set ip dscp value Specifying layer 2 markingNodesrc name#set layer2 cos value Discarding Excess Load Defining random early detectionNodesrc name#random-detect burst-tolerance Nodeif-ip if-name#use profile service Devoting the service policy profile to an interfacePolicy name in out Displaying link arbitration status Enable statistics gatheringDisplaying link scheduling profile information Values defining detail of the queuing statistics LEDs status and monitoring Status LEDs Contacting Patton for assistance Contact information Warranty coveragePatton Support Headquarters in the USA RMA numbers Out-of-warranty serviceReturns for credit Return for credit policy Appendix a Compliance information CE Declaration of Conformity SafetyCompliance Radio and TV Interference FCC Part FCC Part 68 Acta Statement Model 2803 only Authorized European RepresentativeIndustry Canada Notice Model 2803 only Appendix B Specifications PPP support Ethernet interfacesSync serial interface T1/E1 interface Model 2803 only Operating environment IP servicesDimensions Management Internal power supply 100-240 VAC, 50/60 Hz, 200 mA Power supplyInternal AC version Appendix C Cabling Serial console Connecting a serial terminal Ethernet cross-over Ethernet 10Base-T and 100Base-T Ethernet straight-through Appendix D Port pin-outs EIA-561 RJ-45 8-pin port RS-232 Console Port Console port, RJ-45, EIA-561 RS-232 Serial port Ethernet 10Base-T and 100Base-T portSync serial port Ethernet ports are auto-detect MDI-X 21 Female DB-15 connector Appendix E OnSite 2800 Series factory configuration OnSite 2800 Series factory configuration Appendix F Installation checklist Installation checklist