- Enterasys Security Router User's Guide

Configuration Examples

14-36 Configuring the Virtual Private Network

XSR(config-tms-tunnel)#set peer 200.10.20.30

+ Specifies the IP address of the remote peer

XSR(config-tms-tunnel)#set protocol ipsec network-extension-mode + Selects IPSec to initiate a

NEM tunnel connection

Most of the parameters shown below have been automatically entered by EZ-IPSec. Be aware that

they do not appear in the running-config file.

crypto isakmp peer 200.10.20.30/32

proposal ez-ike-3des-sha-psk ez-ike-3des-md5-psk

config-mode client

exchange-mode aggressive

nat-traversal automatic

crypto map ez-ipsec 100

match address 100

set peer 200.10.20.30

mode tunnel

set transform-set ez-esp-3des-sha-pfs ez-esp-3des-md5-pfs

set transform-set ez-esp-aes-sha-pfs ez-esp-aes-md5-pfs

set transform-set ez-esp-3des-sha-no-pfs ez-esp-3des-md5-no-pfs

set transform-set ez-esp-aes-sha-no-pfs ez-esp-aes-md5-no-pfs

crypto map ez-ipsec 101

match address 101

set peer 200.10.20.30

Configuration Examples

XSR with VPN - Central Gateway

In this scenario, as shown in Figure 14-12, a Central VPN gateway is set to perform the following:

• Terminate NEM and Client mode tunnels

• Terminate remote access L2TP/IPSec tunnels

• Terminate PPTP remote access tunnels

• OSPF routing with the next hop corporate router on the trusted VPN interface

• DF bit clear on the public VPN interface to handle large non-fragmentable IP frames

• OSPF routing over the multi-point VPN interface for other site-to-site tunnels

• Assign the first IP address of the pool to the multi-point VPN interface.

Note: Pre-shared key proposals are used if a user name is supplied with a tunnel. If no user name is

supplied, EZ-IPSec verifies the XSR has one or more valid certificates and it uses RSA signature

authentication.