Manualshelf

- Foundry Router User Guide

ManualsBrandsFoundry Networks ManualsNetwork RouterAR1216
261262263264265266267268269270
Security Features
June 2004 © 2004 Foundry Networks, Inc. 15 - 37
Example 5: Configuring IPSec Remote Access to Corporate LAN with Mode-
Configuration Method
The following example demonstrates how to configure a Foundry router to be an IPSec VPN server using mode-
configuration method. The client could be any standard mode configuration enabled IPSec VPN client.
In this example, the client needs to access the corporate private network 10.0.1.0/24 through the VPN tunnel. The
server has a pool of ip addresses from 20.1.1.100 through 20.1.1.150 to be allocated for mode configuration
enabled VPN clients. The assigned IP address will be used by the VPN client as the source address in the inner IP
header. The outer IP header will carry the dynamic IP address assigned by the Internet Service Provider as the
source address. The security requirements are as follows:
Phase 1: 3DES with SHA1, Mode Configuration
Phase 2: IPSec ESP tunnel with AES256 and HMAC-SHA1
T Router1# show crypto ipsec sa all detail
Crypto Policy name: INsales
Protocol is Any
Local ident(ip/mask/port): (192.168.107.105/255.255.255.255/any)
Remote ident(ip/mask/port): (10.0.1.0/255.255.255.0/any)
Peer Address is 172.16.0.1, PFS Group is disabled
inbound ESP sas
Spi: 0xf43c5e3b
Transform: aes256 (key length=256 bits), sha1
In use settings = {tunnel}
Bytes Processed 360
Hard lifetime in seconds 28780, Hard lifetime in kilobytes is
unlimited
Soft lifetime in seconds 0, Soft lifetime in kilobytes is
unlimited
Crypto Policy name: sales
Protocol is Any
Local ident(ip/mask/port): (10.0.1.0/255.255.255.0/any)
Remote ident(ip/mask/port): (192.168.107.105/255.255.255.255/any)