Manualshelf

User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000
281282283284285286287288289290
256 XSR Users Guide
VPN Configuration Overview Chapter 11
Configuring the Virtual Private Network
Next, perform the following:
Generate a master key once on the XSR
Define a Security Policy Database (SPD) by configuring crypto ACLs
which specify the type of traffic to be secured
Specify policies - IKE and IPSec transform-sets which spell out
authentication, encryption, data integrity, policy lifetime, and other
parameters to use when negotiating IPSec Security Associations (SAs) with
IPSec peers.
Create crypto maps to apply SPD, transform-sets and ACLs to an interface
Configure authentication via AAA and/or PKI
Set up optional auxiliary functions including RADIUS, IP address
assignment, and NAT.
Optionally configure a VPN interface
Master Key Generation
The XSR stores sensitive data such as user names, passwords, and certificates.
Because retaining this data in the clear would pose a security risk, the XSR
uses a master encryption key to encode locally stored information. The router
is not supplied with master encryption key at the factory - you must
manually generate it before starting any VPN configuration. To do so:
Enter crypto key master generate in Global configuration mode.
WARNING
The master encryption key is stored in hardware, not Flash, and you
cannot read the key - only overwrite the old key by writing a new one.
To ensure router security, it is critical not to compromise the key. There
are situations where you may want to keep the key, for example, to save
the user database off-line in order to later download it to the XSR. In
order to encrypt the user database, you need the same master key,
indicating the key designation with the
master key specify
command.
Be aware that if the XSR is inoperable and you press the Default
button, the master key is erased and you must generate a new one.