Patton electronic 2800 user manual Creating/modifying an outgoing ACL profile for IPsec

Example: Create an IPsec policy profile

The following example defines a profile for AES-encryption at a key length of 128.

2800(cfg)#profile ipsec-policy-manual ToBurg 2800(pf-ipsma)[ToBurg]#use profile ipsec-transform AES_128 2800(pf-ipsma)[ToBurg]#session-key inbound esp-encryption 1234567890ABCDEF1234567890ABCDEF 2800(pf-ipsma)[ToBurg]#session-key outbound esp-encryption FEDCBA0987654321FEDCBA0987654321 2800(pf-ipsma)[ToBurg]#spi inbound esp 1111 2800(pf-ipsma)[ToBurg]#spi outbound esp 2222 2800(pf-ipsma)[ToBurg]#peer 200.200.200.1 2800(pf-ipsma)[ToBurg]#mode tunnel

Creating/modifying an outgoing ACL profile for IPsec

An access control list (ACL) profile in the outgoing direction selects which outgoing traffic to encrypt and/or authenticate, and which IPsec policy profile to use. IPsec does not require an incoming ACL.

Note Outgoing and incoming IPsec traffic passes an ACL (if available) twice, once before and once after encryption/authentication. So the respective ACLs must permit the encrypted/authenticated and the plain traffic.

For detailed information on how to set-up ACL rules, see chapter 7, “Access control list configuration” on page 79.

Procedure: To create/modify an outgoing ACL profile for IPsec

Mode: Configure

Note New entries are appended at the end of an ACL. Since the position in the list is relevant, you might need to delete the ACL and rewrite it completely.

Example: Create/modify an ACL profile for IPsec

The following example configures an outgoing ACL profile that interconnects the two private networks 192.168.1/24 and 172.16/16.

2800(cfg)#profile acl VPN_Out

2800(pf-acl)[VPN_Out]#permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255 ipsec- policy ToBurg

2800(pf-acl)[VPN_Out]#permit ip any any