Configuration examples, Xsr with vpn - central gateway, Configuration examples -36 – Enterasys Networks Security Router X-PeditionTM User Manual

Configuration Examples

14-36 Configuring the Virtual Private Network

XSR(config-tms-tunnel)#set peer 200.10.20.30

+

Specifies the IP address of the remote peer

XSR(config-tms-tunnel)#set protocol ipsec network-extension-mode

+

Selects IPSec to initiate a

NEM tunnel connection

Most of the parameters shown below have been automatically entered by EZ-IPSec. Be aware that
they do not appear in the running-config file.

crypto isakmp peer 200.10.20.30/32
proposal ez-ike-3des-sha-psk ez-ike-3des-md5-psk
config-mode client
exchange-mode aggressive
nat-traversal automatic
crypto map ez-ipsec 100
match address 100
set peer 200.10.20.30
mode tunnel
set transform-set ez-esp-3des-sha-pfs ez-esp-3des-md5-pfs
set transform-set ez-esp-aes-sha-pfs ez-esp-aes-md5-pfs
set transform-set ez-esp-3des-sha-no-pfs ez-esp-3des-md5-no-pfs
set transform-set ez-esp-aes-sha-no-pfs ez-esp-aes-md5-no-pfs
crypto map ez-ipsec 101
match address 101
set peer 200.10.20.30

Configuration Examples

XSR with VPN - Central Gateway

In this scenario, as shown in

Figure 14-12

, a Central VPN gateway is set to perform the following:

•

Terminate NEM and Client mode tunnels

•

Terminate remote access L2TP/IPSec tunnels

•

Terminate PPTP remote access tunnels

•

OSPF routing with the next hop corporate router on the trusted VPN interface

•

DF bit clear on the public VPN interface to handle large non-fragmentable IP frames

•

OSPF routing over the multi-point VPN interface for other site-to-site tunnels

•

Assign the first IP address of the pool to the multi-point VPN interface.

Note: Pre-shared key proposals are used if a user name is supplied with a tunnel. If no user name is
supplied, EZ-IPSec verifies the XSR has one or more valid certificates and it uses RSA signature
authentication.