beautypg.com

Patton electronic ONSITE 2800 User Manual

Page 72

background image

VPN configuration task list

72

OnSite 2800 Series User Manual

6 • VPN configuration

Example: Create an IPsec policy profile

The following example defines a profile for AES-encryption at a key length of 128.

2800(cfg)#profile ipsec-policy-manual ToBurg
2800(pf-ipsma)[ToBurg]#use profile ipsec-transform AES_128
2800(pf-ipsma)[ToBurg]#session-key inbound esp-encryption
1234567890ABCDEF1234567890ABCDEF
2800(pf-ipsma)[ToBurg]#session-key outbound esp-encryption
FEDCBA0987654321FEDCBA0987654321
2800(pf-ipsma)[ToBurg]#spi inbound esp 1111
2800(pf-ipsma)[ToBurg]#spi outbound esp 2222
2800(pf-ipsma)[ToBurg]#peer 200.200.200.1
2800(pf-ipsma)[ToBurg]#mode tunnel

Creating/modifying an outgoing ACL profile for IPsec

An access control list (ACL) profile in the outgoing direction selects which outgoing traffic to encrypt and/or
authenticate, and which IPsec policy profile to use. IPsec does not require an incoming ACL.

Note

Outgoing and incoming IPsec traffic passes an ACL (if available)
twice, once before and once after encryption/authentication. So the
respective ACLs must permit the encrypted/authenticated and the
plain traffic.

For detailed information on how to set-up ACL rules, see chapter 7,

“Access control list configuration”

on

page 79.

Procedure: To create/modify an outgoing ACL profile for IPsec

Mode: Configure

Note

New entries are appended at the end of an ACL. Since the position in
the list is relevant, you might need to delete the ACL and rewrite it
completely.

Example: Create/modify an ACL profile for IPsec

The following example configures an outgoing ACL profile that interconnects the two private networks
192.168.1/24 and 172.16/16.

2800(cfg)#profile acl VPN_Out
2800(pf-acl)[VPN_Out]#permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255 ipsec-
policy ToBurg
2800(pf-acl)[VPN_Out]#permit ip any any

Step

Command

Purpose

1

node(cfg)#profile acl name

Creates or enters the ACL profile name

2

node(pf-ipstr)[name]#permit ...
[ ipsec-policy name ]

The expression ‘ipsec-policy name’ appended to a
permit ACL rule activates the IPsec policy profile
name to encrypt/authenticate the traffic identified
by this rule.

See also other documents in the category Patton electronic Hardware: