Patton electronic SmartNode 4110 Series manual Creating/modifying an outgoing ACL profile for IPsec

Use no in front of the above commands to delete a profile or a configuration entry.

Example: Create an IPsec policy profile

The following example defines a profile for AES-encryption at a key length of 128.

node(cfg)#profile ipsec-policy-manual ToBerne node(pf-ipsma)[ToBerne]#use profile ipsec-transform AES_128 node(pf-ipsma)[ToBerne]#session-key inbound esp-encryption 1234567890ABCDEF1234567890ABCDEF node(pf-ipsma)[ToBerne]#session-key outbound esp-encryption FEDCBA0987654321FEDCBA0987654321 node(pf-ipsma)[ToBerne]#spi inbound esp 1111 node(pf-ipsma)[ToBerne]#spi outbound esp 2222 node(pf-ipsma)[ToBerne]#peer 200.200.200.1 node(pf-ipsma)[ToBerne]#mode tunnel

Creating/modifying an outgoing ACL profile for IPsec

An access control list (ACL) profile in the outgoing direction selects which outgoing traffic to encrypt and/or authenticate, and which IPsec policy profile to use. IPsec does not require an incoming ACL.

Note Outgoing and incoming IPsec traffic passes an ACL (if available) twice, once before and once after encryption/authentication. So the respective ACLs must permit the encrypted/authenticated and the plain traffic.

For detailed information on how to set-up ACL rules, see chapter 24, “Access control list configuration” on page 253.

Procedure: To create/modify an outgoing ACL profile for IPsec

Mode: Configure

Note New entries are appended at the end of an ACL. Since the position in the list is relevant, you might need to delete the ACL and rewrite it completely.

Example: Create/modify an ACL profile for IPsec

The following example configures an outgoing ACL profile that interconnects the two private networks 192.168.1/24 and 172.16/16.

node(cfg)#profile acl VPN_Out

node(pf-acl)[VPN_Out]#permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255 ipsec- policy ToBerne

node(pf-acl)[VPN_Out]#permit ip any any