Manuals / Patton electronic / Computer Equipment / Network Card

Patton electronic 2800 Sample configurations, IPsec tunnel, DES encryption, OnSite configuration

Models: 2800

1 135

Download 135 pages 34.01 Kb

Page 75

OnSite 2800 Series User Manual	6 • VPN configuration

IN MANUAL	ToBurg	Tunnel	no
200.200.200.1	-	1111	-	-	AES-CBC 128
3622/unlimited		19047/unlimited
OUT MANUAL	ToBurg	Tunnel	no
200.200.200.1	-	2222	-	-	AES-CBC 128
2857/unlimited		19047/unlimited

Sample configurations

The following sample configurations establish IPsec connections between an OnSite and a Cisco router. To interconnect two OnSite routers instead, derive the configuration for the second OnSite by doing the follow- ing modifications:

•Swap ‘inbound’ and ‘outbound’ settings

•Adjust the ‘peer’ setting

•Swap the private networks in the ACL profiles

•Adjust the IP addresses of the LAN and WAN interfaces

•Adjust the route for the remote network

IPsec tunnel, DES encryption

OnSite configuration

profile ipsec-transform DES esp-encryption des-cbc 64

profile ipsec-policy-manual VPN_DES

use profile ipsec-transform DES

session-key inbound esp-encryption 1234567890ABCDEF session-key outbound esp-encryption FEDCBA0987654321 spi inbound esp 1111

spi outbound esp 2222 peer 200.200.200.1 mode tunnel

profile acl VPN_Out

permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255 ipsec-policy VPN_DES permit ip any any

profile acl VPN_In permit esp any any permit ah any any

permit ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255 deny ip any any

context ip router

interface LAN

ipaddress 192.168.1.1 255.255.255.0 interface WAN

Sample configurations

75

Image 75

Patton electronic 2800 user manual Sample configurations, IPsec tunnel, DES encryption, OnSite configuration

Contents

Managed VPN Router Mailsupport@patton.com Summary Table of Contents Table of Contents Getting started with the OnSite Managed VPN Router VPN configuration LEDs status and monitoring 112 Cabling 124 OnSite 2800 Series factory configuration 132 List of Figures List of Tables About this guide AudienceStructure Impaired functioning PrecautionsSafety when working with electricity General observations General conventions Typographical conventions used in this documentGeneral information Chapter contentsOnSite Managed VPN Router 2805 shown OnSite Model 2800 Series overviewOnSite 2800 Series model codes OnSite 2800 Series detailed descriptionDMZ Model code extensions OnSite 2800 Series power input connectorsOnSite 2800 Series rear-panel ports are described in table Ports descriptionsApplications overview Corporate multi-function virtual private network Corporate multi-function virtual private networkGeneral information Hardware installation Create a network diagram see section Network information on Planning the installationInstallation checklist IP related information Power sourceSite log Network informationLocation and mounting requirements Installing the VPN routerConnecting cables Installing the Ethernet cableConnecting an OnSite 2800 Series device to a hub Installing the serial WAN cableDCD Hardware installation Rear panel of 2803K/EUI Rear panel of 2803K/UI Pins not listed are not usedPower connector location on rear panel Connecting to external power sourceUI and EUI power supplies automatically adjust to accept an Getting started with the OnSite Managed VPN Router Introduction Configure IP addressTerminal emulation program settings 9600 bps No parity Bit Configure IP addressPower connection and default configuration All Ethernet interfaces are activated upon power-upChanging the IP address LoginSelect the context IP mode to configure an IP interface Stop bit No flow controlLoad configuration Connect the OnSite VPN Router to the networkRespectively from the host ping Load configuration Serial port configuration Disabling an interface Serial port configuration task listEnabling an interface Configuring the encapsulation for Frame Relay Example Configuring the serial encapsulation typePort Configuring the LMI type Enter Frame Relay modeEntering Frame Relay PVC configuration mode Configuring the keep-alive intervalBinding the Frame Relay PVC to IP interface Configuring the PVC encapsulation typeMode PVC Disabling a Frame Relay PVC Enabling a Frame Relay PVCCRC Displaying serial port informationDlci Displaying Frame Relay informationIntegrated service access Port Configure the serial interface settingsCheck that the Frame Relay settings are correct Configure the introduced PVCsT1/E1 port configuration Enable/Disable T1/E1 port T1/E1 port configuration task listConfiguring T1/E1 line-code Mode port e1t1 slot portConfiguring T1/E1 port-type Configuring T1/E1 clock-modeName prt-e1t1 slot/port# framing Configuring T1/E1 framingConfiguring T1/E1 line-build-out T1 only Configuring T1/E1 used-connector E1 onlyDefault short-haul Configuring T1/E1 application modeConfiguring T1/E1 LOS threshold Configuring T1/E1 encapsulationConfiguring Channel-Group Encapsulation Be used Mode port e1t1 slot portConfiguring Channel-Group Timeslots Mode channel-group group-nameDefault no encapsulation Configuring Hdlc CRC-TypeConfiguring Hdlc Encapsulation T1/E1 Configuration ExamplesExample 1 Frame Relay without a channel-group Example 2 Framerelay with a channel-group Example 3 PPP without a channel-groupExample 4 PPP with a channel-group VPN configuration Encryption AuthenticationVPN configuration task list Transport and tunnel modesCreating an IPsec transformation profile Creating an IPsec policy profile Procedure To create an IPsec policy profileNodecfg#profile ipsec-policy-man Creating/modifying an outgoing ACL profile for IPsec Displaying IPsec configuration information Configuration of an IP interface and the IP router for IPsecExample IPsec Debug Output Example Display IPsec transformation profilesExample Display IPsec policy profiles Debugging IPsecSample configurations OnSite configurationIPsec tunnel, DES encryption Cisco router configuration Cisco router configuration VPN configuration Access control list configuration About access control lists What access lists doWhy you should configure access lists Features of access control lists When to configure access listsMapping out the goals of the access control list Access control list configuration task listNodepf-acl name#permit ip src src-wildcard any Src-wildcard Where the syntax isAny host src dest dest-wildcard any host dest Nodepf-acl name#permit icmp src src-wildcard anyType type type type code code cos group Nodepf-acl name#deny icmp src src-wildcardMsg name Where the syntax is as followingNodepf-acl name#deny tcp udp sctp src src Nodepf-acl name#permit tcp udp sctp src src-wildCard any host src eq port gt port lt port range Port lt port range from to cos group cos-rtp groupGroup-data Where the syntax is Unbind an access control list profile from an interface Displaying an access control list profileDebugging an access control list profile Control list profile shall be debugged Denying a specific subnet ExamplesLink scheduler configuration Configuring access control lists Configuring quality of service QoS Using traffic classesApplying scheduling at the bottleneck Weighted fair queuing WFQ Introduction to SchedulingPriority Shaping Burst tolerant shaping or wfqHierarchy Setting the modem rate Quick referencesSome explanations Command cross reference Link scheduler configuration task listPacket classification Defining the access control list profileScenario with Web server regarded as a single source host Creating an access control listNodepf-acl name#permit ip any any Creating a service policy profileNodecfg#profile acl name Nodepf-acl name#permit ip host ip-address any traffic-classStructure of a Service-Policy Profile Specifying the handling of traffic-classes Defining fair queuing weightDefining the maximum queue length Specifying the type-of-service TOS fieldDefining the bit-rate Defining absolute priorityNodesrc name#set ip precedence value Specifying differentiated services codepoint Dscp markingSpecifying the precedence field Nodesrc name#set ip tos valueSpecifying layer 2 marking Nodesrc name#set ip dscp valueNodesrc name#set layer2 cos value Defining random early detection Discarding Excess LoadNodesrc name#random-detect burst-tolerance Devoting the service policy profile to an interface Nodeif-ip if-name#use profile servicePolicy name in out Enable statistics gathering Displaying link arbitration statusDisplaying link scheduling profile information Values defining detail of the queuing statistics LEDs status and monitoring Status LEDs Contacting Patton for assistance Warranty coverage Contact informationPatton Support Headquarters in the USA RMA numbers Out-of-warranty serviceReturns for credit Return for credit policyAppendix a Compliance information CE Declaration of Conformity SafetyCompliance Radio and TV Interference FCC PartAuthorized European Representative FCC Part 68 Acta Statement Model 2803 onlyIndustry Canada Notice Model 2803 only Appendix B Specifications PPP support Ethernet interfacesSync serial interface T1/E1 interface Model 2803 onlyOperating environment IP servicesDimensions ManagementPower supply Internal power supply 100-240 VAC, 50/60 Hz, 200 mAInternal AC version Appendix C Cabling Serial console Connecting a serial terminalEthernet cross-over Ethernet 10Base-T and 100Base-TEthernet straight-through Appendix D Port pin-outs EIA-561 RJ-45 8-pin port RS-232 Console Port Console port, RJ-45, EIA-561 RS-232Serial port Ethernet 10Base-T and 100Base-T portSync serial port Ethernet ports are auto-detect MDI-X21 Female DB-15 connector Appendix E OnSite 2800 Series factory configuration OnSite 2800 Series factory configuration Appendix F Installation checklist Installation checklist