User`s guide
XSR User’s Guide 259
Chapter 11 VPN Configuration Overview
Configuring the Virtual Private Network
XSR(config)#access-list 102 permit gre any any
XSR(config)#access-list 102 permit tcp any any eq 80
XSR(config)#access-list 102 permit tcp any any eq 1723
XSR(config)#access-list 102 permit tcp any any eq 1701
XSR(config)#access-list 102 permit tcp any any eq 389
XSR(config)#access-list 102 deny ip any any
XSR(config)#interface fastethernet 2
XSR(config-if<F2>)#ip access-group 101 in
XSR(config-<F2>)#ip access-group 102 out
Selecting Policies: IKE/IPSec Transform-Sets
IKE transform-sets are configured by the crypto isakmp proposal
command with the following parameters available:
– Pre-shared key or RSA signatures public key authentication
– 3DES, AES, or DES encryption
– Group 1, 2, and 5 Diffie-Hellman 768-, 1024-, and 1536-bit
– MD-5 or SHA-1 hash algorithms
– SA lifetimes
More than one IKE proposal can be specified on each node. When IKE
negotiation begins, it seeks a common proposal on both peers setting identical
parameters. Additional parameters related to IKE are configured using the
crypto isakmp peer command. Specified parameters are effective when a
peer address/subnet matches the IP address of the peer. The wildcard 0.0.0.0
0.0.0.0 may be used to match any peer. Other configurable IKE values are:
– IKE peer address/subnet
– IKE proposal list
– Mode-config options client or server
– Main or aggressive IKE exchange mode options
– NAT automatic, enabled or disabled options
Transform-sets used for IPSec are set with the
crypto ipsec transform-set
command. You can choose AH, ESP, or IP compression values as follows:
– MD5-HMAC or SHA-HMAC hashing algorithms
– COMP-LZS IP compression with the LZS compression algorithm
– 3DES, AES or DES encryption