- Enterasys Security Router User's Guide
Configuration Examples
14-36 Configuring the Virtual Private Network
XSR(config-tms-tunnel)#set peer 200.10.20.30
+ Specifies the IP address of the remote peer
XSR(config-tms-tunnel)#set protocol ipsec network-extension-mode + Selects IPSec to initiate a
NEM tunnel connection
Most of the parameters shown below have been automatically entered by EZ-IPSec. Be aware that
they do not appear in the running-config file.
crypto isakmp peer 200.10.20.30/32
proposal ez-ike-3des-sha-psk ez-ike-3des-md5-psk
config-mode client
exchange-mode aggressive
nat-traversal automatic
crypto map ez-ipsec 100
match address 100
set peer 200.10.20.30
mode tunnel
set transform-set ez-esp-3des-sha-pfs ez-esp-3des-md5-pfs
set transform-set ez-esp-aes-sha-pfs ez-esp-aes-md5-pfs
set transform-set ez-esp-3des-sha-no-pfs ez-esp-3des-md5-no-pfs
set transform-set ez-esp-aes-sha-no-pfs ez-esp-aes-md5-no-pfs
crypto map ez-ipsec 101
match address 101
set peer 200.10.20.30
Configuration Examples
XSR with VPN - Central Gateway
In this scenario, as shown in Figure 14-12, a Central VPN gateway is set to perform the following:
• Terminate NEM and Client mode tunnels
• Terminate remote access L2TP/IPSec tunnels
• Terminate PPTP remote access tunnels
• OSPF routing with the next hop corporate router on the trusted VPN interface
• DF bit clear on the public VPN interface to handle large non-fragmentable IP frames
• OSPF routing over the multi-point VPN interface for other site-to-site tunnels
• Assign the first IP address of the pool to the multi-point VPN interface.
Note: Pre-shared key proposals are used if a user name is supplied with a tunnel. If no user name is
supplied, EZ-IPSec verifies the XSR has one or more valid certificates and it uses RSA signature
authentication.