beautypg.com

Transport and tunnel modes, Vpn configuration task list, Creating an ipsec transformation profile – Patton electronic ONSITE 2800 User Manual

Page 69

background image

VPN configuration task list

69

OnSite 2800 Series User Manual

6 • VPN configuration

Transport and tunnel modes

The mode determines the payload of the ESP packet and hence the application:

Transport mode: Encapsulates only the payload of the original IP packet, but not its header, so the IPsec
peers must be at the endpoints of the communications link.

A secure connection between two hosts is the application of the transport mode.

Tunnel mode: Encapsulates the payload and the header of the original IP packet. The IPsec peers can be
(edge) routers that are not at the endpoints of the communications link.

A secure connection of the two (private) LANs, a ‘tunnel’, is the application of the tunnel mode.

VPN configuration task list

To configure a VPN connection, perform the following tasks:

Creating an IPsec transformation profile

Creating an IPsec policy profile

Creating/modifying an outgoing ACL profile for IPsec

Configuration of an IP Interface and the IP router for IPsec

Displaying IPsec configuration information

Debugging IPsec

Creating an IPsec transformation profile

The IPsec transformation profile defines which authentication and/or encryption protocols, which authentica-
tion and/or encryption algorithms shall be applied.

Procedure: To create an IPsec transformation profile

Mode: Configure

mac-sha1-96 }Enables authentication and defines the authentication protocol and the hash algorithm

Use no in front of the above commands to delete a profile or a configuration entry.

Example: Create an IPsec transformation profile

The following example defines a profile for AES-encryption at a key length of 128.

2800(cfg)#profile ipsec-transform AES_128
2800(pf-ipstr)[AES_128]#esp-encryption aes-cbc 128

Step

Command

Purpose

1

node(cfg)#profile ipsec-transform name

Creates the IPsec transformation profile name

2

optional

node(pf-ipstr)[name]#esp-encryption {
aes-cbc | des-cbc | 3des-cbc } [key-length]

Enables encryption and defines the encryp-
tion algorithm and the key length

3

optional

node(pf-ipstr)[name]#{ ah-authentication
| esp-authentication } {hmac-md5-96 |
hmac-sha1-96 }

Enables authentication and defines the
authentication protocol and the hash algo-
rithm

See also other documents in the category Patton electronic Hardware: