beautypg.com

Selecting policies: ike/ipsec transform-sets, Selecting policies: ike/ipsec transform-sets -22 – Enterasys Networks Security Router X-PeditionTM User Manual

Page 344

background image

VPN Configuration Overview

14-22 Configuring the Virtual Private Network

XSR(config-if)#ip address 141.154.196.87 255.255.255.192

If an XSR is configured as a VPN gateway, the external interface (FastEthernet 2, e.g.), can be made
more restrictive by only allowing VPN protocols to pass through and barring all other traffic:

XSR(config)#access-list 100 permit esp any host 192.168.57.7
XSR(config)#access-list 100 permit ah any host 192.168.57.7
XSR(config)#access-list 100 per udp any eq 500 host 192.168.57.7 eq 500
XSR(config)#access-list 101 permit esp host 192.168.57.7 any
XSR(config)#access-list 101 permit ah host 192.168.57.7 any
XSR(config)#access-list 101 per udp host 192.168.57.7 eq 500 any eq 500
XSR(config-if)#interface FastEthernet2
XSR(config-if)#no shutdown
XSR(config-if)#ip access-group 100 in
XSR(config-if)#ip access-group 101 out

The following ACL example is fairly open, configuring the XSR as a VPN concentrator but
allowing internal users access to the Internet. ACLs 101 and 102 are applied to the external
interface - FastEthernet 2.

ACLs must be applied to the external interface of the XSR prior to the creation of a VPN
configuration. These ACLs would only be applied to an XSR configured as a VPN concentrator
that would also be used for Internet access.

XSR(config)#access-list 101 permit udp any any eq 500
XSR(config)#access-list 101 permit gre any any
XSR(config)#access-list 101 permit tcp any any established
XSR(config)#access-list 101 permit tcp any any eq 1723
XSR(config)#access-list 101 permit tcp any any eq 1701
XSR(config)#access-list 101 permit tcp any any eq 389
XSR(config)#access-list 101 pe ip host any
XSR(config)#access-list 101 deny ip any any

XSR(config)#access-list 102 permit udp any any eq 500
XSR(config)#access-list 102 permit gre any any
XSR(config)#access-list 102 permit tcp any any eq 80
XSR(config)#access-list 102 permit tcp any any eq 1723
XSR(config)#access-list 102 permit tcp any any eq 1701
XSR(config)#access-list 102 permit tcp any any eq 389
XSR(config)#access-list 102 deny ip any any

XSR(config)#interface fastethernet 2
XSR(config-if)#ip access-group 101 in
XSR(config-)#ip access-group 102 out

Selecting Policies: IKE/IPSec Transform-Sets

IKE proposals are configured by the

crypto isakmp proposal

command with the following

parameters available:

Pre-shared key or RSA signatures public key authentication

Group 1, 2, and 5 Diffie-Hellman 768-, 1024-, and 1536-bit

SA lifetimes

See also other documents in the category Enterasys Networks Hardware: