User`s guide
276 XSR User’s Guide
Configuring the VPN Using EZ-IPSec Chapter 11
Configuring the Virtual Private Network
XSR(config)#interface vpn 1 point-to-point
+ Sets VPN interface 1 to initiate a tunnel connection and acquires VPN interface
mode. You must always set a Point-to-Point tunnel at the remote site and Point-to-
Multipoint tunnel at the central site
XSR(config-int-vpn)#ip address negotiated
+ Asks for dynamic virtual IP address assignment of this VPN interface by its peer
XSR(config-int-vpn)#tunnel Corporate
+ Names the site-to-site tunnel Corporate
XSR(config-tms-tunnel)#set user My_Remote_site
+ Indicates a pre-share key is being used. You must add an EZ-IPSec tunnel using
the password of this user in the AAA database
XSR(config-tms-tunnel)#set peer 200.10.20.30
+ Specifies the IP address of the remote peer
XSR(config-tms-tunnel)#set protocol ipsec network-extension-mode
+ Selects IPSec to initiate a NEM tunnel connection
NOTE
Pre-shared key proposals are used if a user name is supplied with a
tunnel. If no user name is supplied, EZ-IPSec verifies the XSR has one or
more valid certificates and it uses RSA signature authentication.
Most of the parameters shown below have been automatically entered by
EZ-IPSec. Be aware that they do not appear in the running-config file.
crypto isakmp peer 200.10.20.30/32
proposal ez-ike-3des-sha-psk ez-ike-3des-md5-psk
config-mode client
exchange-mode aggressive
nat-traversal automatic
crypto map ez-ipsec 100
match address 100
set peer 200.10.20.30
mode tunnel
set transform-set ez-esp-3des-sha-pfs ez-esp-3des-md5-pfs
set transform-set ez-esp-aes-sha-pfs ez-esp-aes-md5-pfs
set transform-set ez-esp-3des-sha-no-pfs ez-esp-3des-md5-no-pfs
set transform-set ez-esp-aes-sha-no-pfs ez-esp-aes-md5-no-pfs
crypto map ez-ipsec 101
match address 101
set peer 200.10.20.30