Manualshelf

User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000
311312313314315316317318319320
278 XSR Users Guide
Configuration Examples Chapter 11
Configuring the Virtual Private Network
Begin by setting the XSR system time via SNTP. This configuration is critical
for XSRs which use time-sensitive certificates.
XSR(config)#sntp-client server 10.120.84.3
XSR(config)#sntp-client poll-interval 60
Add ACLs to permit IP and UDP traffic:
XSR(config)#access-list 130 permit udp any any eq 500
XSR(config)#access-list 130 permit gre any any
XSR(config)#access-list 130 permit tcp any any est
XSR(config)#access-list 130 permit tcp any any eq 1723
XSR(config)#access-list 130 deny ip any any
Add ACLs for IP local pool/EZ-IPSec, Network Extension address and L2TP:
XSR(config)#access-list 110 permit ip any 10.120.70.0 0.0.0.255
XSR(config)#access-list 120 permit udp any any eq 1701
XSR(config)#access-list 140 permit ip any 172.16.1.0 0.0.0.255
XSR(config)#access-list 150 permit ip any 192.168.111.0 0.0.0.255
Define IKE Phase I security parameters with the following two policies:
XSR(config)#crypto isakmp proposal xp-soho
XSR(config-isakmp)#hash md5
XSR(config-isakmp)#lifetime 50000
XSR(config)#crypto isakmp proposal p2p
XSR(config-isakmp)#authentication pre-share
XSR(config-isakmp)#lifetime 50000
Configure IKE policy for the remote peer:
XSR(config)#crypto isakmp peer 0.0.0.0 0.0.0.0
XSR(config-isakmp-peer)#proposal xp-soho p2p
XSR(config-isakmp-peer)#config-mode gateway
XSR(config-isakmp-peer)#nat-traversal automatic
Configure the following four IPSec SAs:
XSR(config)#crypto ipsec transform-set esp-3des-md5 esp-3des
esp-md5-hmac
XSR(cfg-crypto-tran)no set security-association lifetime kilobytes
XSR(config)#crypto ipsec transform-set esp-3des-sha esp-3des
esp-sha-hmac