- Enterasys Security Router User's Guide

ManualsBrandsEnterasys Networks ManualsNetwork RouterSecurity Router X-PeditionTM

351

352

353

354

355

356

357

358

359

360

Configuring a Simple VPN Site-to-Site Application

14-32 Configuring the Virtual Private Network

VPN Interface Sub-Commands

The following sub-commands are available at VPN Interface mode:

ip firewall + Set of commands to configure the firewall

ip address-negotiated + Sets the VPN interface’s IP address to be negotiated

ip address + Specifies an IP address on the VPN interface

ip multicast-redirect + Redirects multicast to a unicast address

ip nat + Specifies NAT rules on the VPN interface

ip rip + Configures RIP routing on the VPN port

ip unnumbered + Enables IP processing on a serial port without assigning it an explicit IP address

ip split-horizon + Enables split horizon mechanism

ip ospf + Set of commands to configure OSPF routing

tunnel + Command and sub-commands configure a site-to-site VPN tunnel on a point-to-point interface

set heartbeat + Enables and configures tunnel connectivity monitoring

set protocol (ipsec or gre) + Selects a tunnel protocol

set active + Brings the tunnel up

set user + Designates the user name when initiating a tunnel and obtains credentials from the AAA subsystem

set peer + Sets the IP address of the peer

Configuring a Simple VPN Site-to-Site Application

The following main steps describe how to configure a simple Site-to-Site VPN between two XSRs,

as illustrated in Figure 14-11:

•Encrypt Branch-site traffic on the 63.81.66.0/24 network to Central site networks (63.81.64.0/

24, 63.81.68.0/24, 141.154.196.64/28)

• Set up IPSec/IKE policy with pre-shared keys

• Configure cryptographic algorithms (transform-sets) and IPSec mode

• Configure the VPN interface and crypto maps

Figure 14-11 Site-to-Site Example

1. Generate a master encryption key as described in “Master Encryption Key Generation” on

page 14-20. This need only be done once on the router.

2. Begin Central Site configuration of all necessary physical and system requirements, including

physical IP addresses, routing (default route and RIP or OSPF), and standard ACLs. This

example offers numerous options.

3. Configure Access Lists 120, 130, and 140 to define the particular traffic to be protected by the

tunnel. The ACLs allow a range of IP addresses on the VPN. In the context of VPN

Central Site

Branch Office

Internet

XSR

FastEthernet 2

1.1.1.1

FastEthernet 2

1.1.1.2

FastEthernet 1

141.154.196.78

63.81.64.0/24 63.81.68.0/24

63.81.66.0/24

FastEthernet 1

63.81.66.1

XSR