- Enterasys Security Router User's Guide

ManualsBrandsEnterasys Networks ManualsNetwork RouterSecurity Router X-PeditionTM

341

342

343

344

345

346

347

348

349

350

VPN Configuration Overview

14-24 Configuring the Virtual Private Network

Configure IKE policy for the remote peer, assuming that two other IKE proposals (try2 and try3)

have been configured:

XSR(config)#crypto isakmp peer 192.168.57.33/32

XSR(config-isakmp-peer)#proposal try1 try2 try3

XSR(config-isakmp-peer)#config-mode gateway

XSR(config-isakmp-peer)#nat auto

Configure the IPSec transform set. You can specify both kilobyte and seconds SA lifetime values

or just one. Some commands are abbreviated.

XSR(config)#crypto ipsec tr esp-3des-sha esp-3des esp-sha-hmac

XSR(cfg-crypto-tran)#set pfs group1

XSR(cfg-crypto-tran)#set sec lifetime kilobytes 500000

XSR(cfg-crypto-tran)#set sec lifetime seconds 3000

Creating Crypto Maps

A crypto map is a Security Policy Database (SPD) which filters and classifies packets as well as

defines the policy applied to those packets. Filtering and classifying decides which traffic needs to

be protected while policy affects the SA negotiation performed (via IKE) on behalf of that traffic.

IPSec crypto maps comprise the following:

• Traffic to be protected, configured with the

match address sub-command.

• Which IPSec peers the protected traffic can be forwarded to, configured with the

set peer

sub-command. These are peers with which an SA can be negotiated.

• Which transform-sets are acceptable for protecting traffic, configure with the

set transform-

set

sub-command.

• Which encapsulation type, tunnel or transport, should be used, configured with the

mode sub-

command.

• If SAs should be sought for each source/destination host pair, configured with the

set

security-association level per-host

command. This command creates separate SAs per

data stream. When it is off, each data stream passes through the same SA.

Configuring Crypto Maps

Crypto maps are sets of rules indexed by sequence number. For a given interface, certain traffic

can be forwarded to one IPSec peer with specified security applied to it, and other traffic

forwarded to the same or a different IPSec peer with different IPSec security applied.

The following sample crypto map highflow with rule #77 is correlated with a pre-configured

transform-set and ACL 140. It is attached to a remote gateway, specifying that SAs for traffic

matching this rule be requested only with the specified gateway. Per-host SAs is disabled and the

default tunnel mode is left unchanged.

XSR(config)#access-list 140 permit ip 192.168.57.0 0.0.0.255 192.168.58.0

0.0.0.255

XSR(config)#crypto map highflow 77

XSR(config-crypto-m)#set transform-set esp-3des-sha

XSR(config-crypto-m)#match address 40

XSR(config-crypto-m)#set peer 192.168.45.12

XSR(config-crypto-m)#no set security-association level per-host