beautypg.com

Configuring authentication (aaa) -30 – Enterasys Networks XSR-3150 User Manual

Page 74

background image

VPN Sample Configuration with Network Extension Mode

3-30 Software Configuration

Configuring Authentication (AAA)

Configure an AAA user and DEFAULT AAA group for remote users. When an ANG tunnels into
the XSR, it will be assigned dynamically to the IP pool AUTH. Be aware that groups must be
created before users can be added to them. Remember to create the same users and passwords on
the ANG. The IP address assigned to the AAA user is the remote gatewayIP address.

XSR(config)#ip local pool AUTH 192.168.2.0 255.255.255.0
XSR(config)#aaa user 112.16.244.9
XSR(aaa-user)#password dribble
XSR(aaa-user)#group DEFAULT
XSR(aaa-group)#pptp encrypt mppe auto
XSR(aaa-group)#ip pool AUTH
XSR(aaa-group)#policy vpn

VPN Sample Configuration with Network Extension Mode

The following sample topology is ideal for testing a VPN NEM tunnel connection on a LAN before
actually configuring a production network. If the configuration works properly, simply change
the GigabitEthernet settings to the Serial or T1 interface values of your choice.

The XSR below is configured as a VPN concentrator with Internet access allowed and Network
Extension Mode (NEM) tunnels set up. NEM is designed to open up network resources situated
behind the XSR. You configure NEM to provide routing for nodes connected to the trusted port of
the router so that locally and remotely connected devices can discover and communicate with
each other across an IKE/IPSec tunnel.

The XSR’s EZ-IPSec functionality is employed to automatically access default ESP transforms and
IPSec proposals.

Figure 3-6 VPN Topology with NEM, EZ-IPSec and Internet Access

The following script configures the VPN topology shown in

Figure 3-6

.

If you have not already generated a master encryption key, you must do so now to configure the
VPN. A master key need only be generated once.

Caution: The master encryption key is stored in hardware, not Flash, and you cannot read the
key - only overwrite the old key by writing a new one. To ensure router security, it is critical not to
compromise the key. There are situations where you may want to keep the key, for example, to
save the user database off-line in order to later download it to the XSR. In order to encrypt the
user database, you need the same master key, indicating the key designation with the master key
specify command. Be aware that if the XSR is inoperable you may have to return to factory
defaults, which erases the master key forcing you to generate a new one.

SEC

URIT

Y R

OUT

ERS

XSR

-1850

ETH

ERN

ET

POR

T 1

ETH

ERN

ET

POR

T 2

SYS

VPN

CON

SOLE

NIM

1

NIM

2

10/10

0BT

10/10

0BT

ACT

ACT

POW

ER

26.26.26.0/24

172.16.10.0

XSR

GigabitEthernet 1: 172.16.10/24

GigabitEthernet 2: 26.26.26.10/24
Virtual IP Pool: 172.16.10.0/24

eth0: 10.12.12.1/24

eth1: 26.26.26.12/24

eth0: 10.11.11.1/24
eth1: 26.26.26.11/24

SEC

URIT

Y RO

UTE

RS

XSR

-1850

ETH

ER

NET

POR

T 1

ETH

ERN

ET

POR

T 2

SYS

VPN

CON

SOLE

NIM

1

NIM

2

10/10

0BT

10/100

BT

ACT

AC

T

POW

ER

XSR

SEC

URITY

ROU

TER

S

XSR

-1850

ETH

ERN

ET

POR

T 1

ETHE

RNE

T

POR

T 2

SYS

VPN

CON

SOLE

NIM

1

NIM

2

10/10

0BT

10/1

00BT

ACT

ACT

POW

ER

XSR

See also other documents in the category Enterasys Networks Hardware: