- Enterasys Security Router User's Guide
Configuring the VPN Using EZ-IPSec
14-34 Configuring the Virtual Private Network
XSR(config-crypto-m)#match address 140
+ Applies map to ACL 140 and renders the ACL bi-directional
XSR(config-crypto-m)#set peer 1.1.1.2
+ Attaches map to peer
XSR(config-crypto-m)#mode [tunnel | transport]
+ Selects IPSec mode for XSR-to-XSR (tunnel) or host to XSR (transport)
XSR(config-crypto-m)#set security-association level per-host
+ Sets a separate SA for every traffic flow
XSR(config)#crypto map Test 20
+ Adds crypto map Test, sequence #20
XSR(config-crypto-m)#set transform-set esp-3des esp-sha-hmc
+ Correlates map with the specified transform set
XSR(config-crypto-m)#match address 120
+ Applies map to ACL 120 and renders the ACL bi-directional
XSR(config-crypto-m)#set peer 1.1.1.3
+ Attaches map to peer
XSR(config-crypto-m)#mode [tunnel | transport]
+ Selects IPSec mode
XSR(config-crypto-m)#set security-association level per-host
+ Sets a separate SA for every traffic flow
XSR(config)#crypto map Test 30
+ Adds crypto map Test, sequence #30
XSR(config-crypto-m)#set transform-set esp-des esp-sha-hmc
+ Correlates map with the specified transform set
XSR(config-crypto-m)#match address 130
+ Applies map to ACL 130 and renders the ACL bi-directional
XSR(config-crypto-m)#set peer 1.1.1.2
+ Attaches map to peer
XSR(config-crypto-m)#mode [tunnel | transport]
+ Selects IPSec mode
XSR(config-crypto-m)#set security-association level per-host
+ Sets a separate SA for every traffic flow. Configuring the XSR VPN interface is the last main task to perform to
set up the VPN.
XSR(config)#interface fastethernet 2
+ Adds FastEthernet port 2 and acquires Interface mode
XSR(config-if<F2>)#crypto map Test
+ Attaches Crypto Map to interface and acquires Crypto Map mode
XSR(config-crypto-m)#description “external interface”
+ Names the interface
XSR(config-crypto-m)#ip address 141.154.196.78 255.255.255.192
+ Adds IP address/subnet to interface
XSR(config-crypto-m)#no shutdown
+ Enables interface
Consult the XSR Getting Started Guide for another site-to-site example.
Configuring the VPN Using EZ-IPSec
The XSR’s VPN provides a simple, largely automatic, IPSec configuration option called EZ-IPSec
which predefines a variety of IKE and IPSec proposals and transforms, combining those objects with
dynamically-defined Security Policy database rules.
This suite of IPSec and IKE policies, sorted by cryptographic strength, is offered to the central
gateway which selects one policy based on its local configuration. EZ-IPSec also relies upon the
IKE Mode Configuration protocol to obtain an IP address from the central gateway.