User`s guide
272 XSR User’s Guide
Configuring a Simple VPN Site-to-Site Application Chapter 11
Configuring the Virtual Private Network
the VPN. In the context of VPN configuration, permit means protect or
encrypt, and deny indicates don’t encrypt or allow as is.
XSR(config)#access-list 120 permit ip 141.154.196.64
0.0.0.63 63.81.66.0 0.0.0.255
XSR(config)#access-list 130 permit ip 63.81.64.0 0.0.0.255
63.81.66.0 0.0.0.255
XSR(config)#access-list 140 permit ip 63.81.68.0 0.0.0.255
63.81.66.0 0.0.0.255
4 Set up IKE Phase 1 protection by entering the following commands:
XSR(config)#crypto isakmp proposal Test
+ Designates ISAKMP proposal Test and acquires ISAKMP mode
XSR(config-isakmp)#authentication [pre-share | rsa]
+ Selects pre-shared key or certificates rsa-sig
XSR(config-isakmp)#encryption [aes | 3des | des]
+ Chooses encryption algorithm
XSR(config-isakmp)#hash [md5 | sha1]
+ Selects data integrity algorithm
XSR(config-isakmp)#group [1 | 2 | 5]
+
Chooses Diffie-Hellman group
XSR(config-isakmp)#lifetime <seconds>
+ Sets IKE lifetime value
5 Configure IKE policy for the remote peer. Multiple IKE proposals can be
configured on each peer participating in IPSec. When IKE negotiation
begins, it tries to find a common proposal (policy) on both peers with a
common proposal containing exactly the same encryption, hash,
authentication, and Diffie-Hellman parameters (lifetime does not
necessarily have to match).
XSR(config)#crypto isakmp peer 0.0.0.0 0.0.0.0
+ Configures the IKE peer IP address/subnet and acquires ISAKMP mode
XSR(config-isakmp-peer)#proposal Test
+ Specifies proposal lists test1 and test2
XSR(config-isakmp-peer)#exchange mode [main | aggressive]
+ Selects IKE main mode
XSR(config-isakmp-peer)#nat-traversal [auto | enabled | disabled]
+ Selects NAT traversal setting
6 Create a transform-set which adds the specified encryption/data integrity
algorithms, 768-bit (Group 1) Diffie-Hellman, and your choice of an SA