- Enterasys Security Router User's Guide

ManualsBrandsEnterasys Networks ManualsNetwork RouterSecurity Router X-PeditionTM

361

362

363

364

365

366

367

368

369

370

Configuration Examples

14-40 Configuring the Virtual Private Network

XSR(config-if)#encapsulation ppp

XSR(config-if)#ip address negotiated

XSR(config-if)#ip mtu 1492

XSR(config-if)#ip nat source assigned overload

XSR(config-if)#ppp pap sent-username pezhmon password pezhmon

Configure the Network Extension Mode, site-to-site IPSec tunnel to the central site XSR (Robo6).

XSR(config)#interface vpn 1 point-to-point

XSR(config-int-vpn)#ip address neg

XSR(config-int-vpn)#tunnel Pipe

XSR(config-tms-tunnel)#set user certificate

XSR(config-tms-tunnel)#set protocol ipsec network

XSR(config-tms-tunnel)#set active

XSR(config-tms-tunnel)#set peer 141.154.196.86

XSR(config-int-vpn)# ip ospf cost 110

XSR(config-int-vpn)#ip ospf priority 0

XSR(config-int-vpn)#ip ospf network nbma

XSR(config)#ip route 0.0.0.0 0.0.0.0 FastEthernet 2.2

Create hosts to resolve hostnames for the certificate servers for CRL retrieval:

XSR(config)#ip host parentca 141.154.196.89

XSR(config)#ip host childca2 141.154.196.81

XSR(config)#ip host childca1 141.154.196.83

Enable the OSPF engine, VPN (Central site pool) and FastEthernet 1 interfaces for routing:

XSR(config)#router ospf 1

XSR(config-router)#network 10.120.70.0 0.0.0.255 area 5.5.5.5

XSR(config-router)#network 172.16.1.0 0.0.0.255 area 5.5.5.5

Consult the XSR Getting Started Guide for another NEM example.

GRE Tunnel for OSPF

Tunnel A: XSR-3250 VPN GRE Site-to-Site Tunnel

The following is an example of a single GRE over IPSec tunnel between an XSR-3250 (Tunnel A)

and an XSR-1805 (Tunnel B) using IKE shared secrets for authentication.

1. Begin by creating an IPSec ACL to permit GRE traffic and protect it with IPSec. This ACL will

be used by a crypto map in Step 5.

XSR(config)#access-list 190 permit gre any any

2. Configure the ISAKMP proposal shared that uses IKE main mode, hash algorithm md5, an IKE

SA lifetime of 3000 seconds, group 2 setting, 3des encryption, and IKE pre-shared keys

authentication. Main mode, group 2, and 3DES values are defaults and are not displayed in

the configuration.

XSR(config)#crypto isakmp proposal shared

XSR(config-isakmp)#authentication pre-share

XSR(config-isakmp)#hash md5

XSR(config-isakmp)#lifetime 3000

3. Specify the IP address for a remote peer (Tunnel B) to have an IKE conversation with using the

ISAKMP proposal shared:

XSR(config)#crypto isakmp peer 63.81.64.200 255.255.255.255