Manualshelf

User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000
291292293294295296297298299300
260 XSR Users Guide
VPN Configuration Overview Chapter 11
Configuring the Virtual Private Network
Security Policy Considerations
You should be aware of these considerations when configuring security policy:
DES is a weaker form of encryption than 3DES and provides a lower
level of security than the newer algorithm. We recommend 3DES.
Selecting any Perfect Forward Secrecy (PFS) option will make each
generated key used in data encryption independent of previous keys. If
the key is compromised, the next key generated by Phase 2 exchange
cannot be determined by knowing the value of the previous key. This
comes at the cost of slightly lower performance.
Two IPSec encapsulation modes - tunnel and transport - are supported
but the default, tunnel mode, is typically used with VPNs because it is
more inclusive.
Configuring Policy
The following example defines simple IKE Phase I, remote peer and IPSec
transform-sets. Configure the IKE proposal try1:
XSR(config)#crypto isakmp proposal try1
XSR(config-isakmp)#authentication pre-share
XSR(config-isakmp)#encryption aes
XSR(config-isakmp)#hash md5
XSR(config-isakmp)#group 5
XSR(config-isakmp)#lifetime 40000
Configure IKE policy for the remote peer, assuming that two other IKE
proposals (try2 and try3) have been configured:
XSR(config)#crypto isakmp peer 192.168.57.33/32
XSR(config-isakmp-peer)#proposal try1 try2 try3
XSR(config-isakmp-peer)#config-mode gateway
XSR(config-isakmp-peer)#nat auto
Configure the IPSec transform set. You can specify both kilobyte and seconds
SA lifetime values or just one. Some commands are abbreviated.
XSR(config)#cry ips tr esp-3des-sha esp-3des esp-sha-hmac
XSR(cfg-crypto-tran)#set pfs group1
XSR(cfg-crypto-tran)#set sec lifetime kilobytes 500000
XSR(cfg-crypto-tran)#set sec lifetime seconds 3000