User`s guide
274 XSR User’s Guide
Configuring the VPN Using EZ-IPSec Chapter 11
Configuring the Virtual Private Network
XSR(config-crypto-m)#match address 130
+ Applies map to ACL 130 and renders the ACL bi-directional
XSR(config-crypto-m)#set peer 1.1.1.2
+ Attaches map to peer
XSR(config-crypto-m)#mode [tunnel | transport]
+ Selects IPSec mode
XSR(config-crypto-m)#set security-association level per-host
+
Sets a separate SA for every traffic flow
8 Configuring the XSR VPN interface is the last main task to perform to set
up the VPN.
XSR(config)#interface fastethernet 2
+ Adds FastEthernet port 2 and acquires Interface mode
XSR(config-if<F2>)#crypto map Test
+ Attaches Crypto Map to interface and acquires Crypto Map mode
XSR(config-crypto-m)#description “external interface”
+ Names the interface
XSR(config-crypto-m)#ip address 141.154.196.78 255.255.255.192
+ Adds IP address/subnet to interface
XSR(config-crypto-m)#no shutdown
+ Enables interface
Consult the XSR Getting Started Guide for another site-to-site configuration
example.
Configuring the VPN Using EZ-IPSec
The XSR’s VPN provides a simple, largely automatic, IPSec configuration
option called EZ-IPSec which predefines a variety of IKE and IPSec proposals
and transforms, combining those objects with dynamically-defined Security
Policy database rules.
This suite of IPSec and IKE policies, sorted by cryptographic strength, is
offered to the central gateway which selects one policy based on its local
configuration. EZ-IPSec also relies upon the IKE Mode Configuration
protocol to obtain an IP address from the central gateway.
EZ-IPSec is invoked using the
crypto ezipsec command in Interface mode
to create a set of standard IPSec policies, relieving you of the complex manual
process. It enables dynamic routing over an IPSec tunnel:
Via Client or Network Extension Mode