User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000

291

292

293

294

295

296

297

298

299

300

XSR User’s Guide 261

Chapter 11 VPN Configuration Overview

Configuring the Virtual Private Network

Creating Crypto Maps

Crypto maps filter and classify packets as well as define the policy to be applied

to those packets. Filtering/classifying affects the traffic flow on an interface

while policy affects the negotiation performed (via IKE) on behalf of that traffic.

IPSec crypto maps link definitions of the following:



Which traffic should be protected by ACLs, set with match address.

 Which IPSec peers the protected traffic can be forwarded to by entering

set peer. These are peers with which an SA can be set up.

 Which transform-sets are acceptable with protected traffic configured

by using

set transform-set.

 How keys and SAs are used.

 Which encapsulation type, tunnel or transport, should be used,

configured by entering

mode.

 Which SAs should be sought for each source/destination host pair, set

with

set security-association level per-host. This command

creates separate SAs per data stream. When it is off, each data stream

passes through the same SA.

Configuring Crypto Maps

Crypto maps are a collection of rules indexed by their sequence number. For a

given interface, certain traffic can be forwarded to one IPSec peer with specified

security applied to it, and other traffic forwarded to the same or a different

IPSec peer with different IPSec security applied.

To do so, create two crypto maps, each with the same map-name, but each with a

different seq-num. Crypto maps sharing a given map-name are searched in order

or seq-num. Sequence numbers are an anti-replay device used to reject duplicate

and old packets thus preventing an intruder from copying a conversation to

work out encryption algorithms.

The following crypto map highflow with sequence # 77 is correlated with the

specified transform-set and ACL 140 by the

match command, which also

renders ACL 140 bi-directional. It is attached to a remote gateway, specifies

that only one SA be requested for each crypto map ACL permit entry, and

automatically accepts IPSec tunnel mode (when

set peer is configured).

XSR(config)#access-list 140 permit ip 192.168.57.0 0.0.0.255

192.168.58.0 0.0.0.255

XSR(config)#crypto map highflow 77