User`s guide
XSR User’s Guide 275
Chapter 11 Configuring the VPN Using EZ-IPSec
Configuring the Virtual Private Network
Supporting RIPv2 and OSPF through the tunnel
The security policy automatically created by
crypto ezipsec specifies
transform-sets for IPSec ESP using 3DES and AES encryption with SHA-1 and
MD5 integrity algorithms. Also, IPSec SA lifetimes are set to 100 MBytes and
3600 seconds - whichever value is reached first will cause a rekey.
EZ-IPSec configuration is comprised of two components:
Enabling EZ-IPSec security policies and attaching to a network
interface using
crypto ezipsec configured on any interface other
than FastEthernet/GigabitEthernet 1
Defining a virtual interface (VPN) in point-to-point mode which
initiates a tunnel to a gateway XSR
EZ-IPSec Configuration
The commands below are used to configure a VPN interface on the XSR. The
set protocol ipsec command is needed to select the following modes:
Client Mode. The virtual interface (interface vpn #) is assigned an
address using Mode Config and an IPSec security policy rule is
inserted into the external interface's SPD securing traffic to and from
that address. NATP is enabled on the VPN interface.
Network Extension Mode. Same as client mode except NAPT is disabled
on the VPN interface and two crypto map entries are added to the
external interface SPD. One rule secures traffic to the virtual interface's
assigned address and the other secures traffic to the trusted network
interface which is assumed to be FastEthernet 1.
The commands below require manual configuration in conjunction with the
crypto ezipsec command:
interface vpn [1 -255]
ip address negotiated
tunnel [Tunnel Name]
set user [username | certificate]
set peer [My Remote VPN Server Address]
set protocol ipsec [client-mode | network-extension-mode]
For example, configure the following Network Extension Mode tunnel: