User`s guide
288 XSR User’s Guide
Interoperability Profile for the XSR Chapter 11
Configuring the Virtual Private Network
6 Configure IKE policy Safe for the Gateway B remote peer. Optionally,
multiple IKE proposals can be configured on each peer participating in
IPSec.
XSR(config)#crypto isakmp peer 22.23.24.25 255.255.255.255
XSR(config-isakmp-peer)#proposal Safe
XSR(config-isakmp-peer)#config-mode gateway
XSR(config-isakmp-peer)#exchange-mode main
7 Configure IKE Phase 2 settings by creating the transform-set Secure:
XSR(config)#crypto ipsec transform-set Secure esp-3des esp-
sha1-hmac
XSR(cfg-crypto-tran)#set pfs group2
XSR(cfg-crypto-tran)#set security-association lifetime
seconds 3600
8 Configure the crypto map Highflow which correlates with transform-set
Secure and access list 101, and attach the map to the remote peer.
XSR(config)#crypto map Highflow 1
XSR(config-crypto-m)#
set transform-set Secure
XSR(config-crypto-m)#match address 101
XSR(config-crypto-m)#set peer 22.23.24.25
9 Attach the crypto map Highflow to the Gateway A external interface (AW):
XSR(config)#interface FastEthernet2
XSR(config-if<F2>)#crypto map Highflow
XSR(config-if<F2>)#no shutdown
10 Configure the pre-shared key. The username is the IP address of the peer
and the password is the pre-shared key.
XSR(config)#aaa user 22.23.24.25
XSR(aaa-user)#password hr5xb84l6aa9r6
11 Test the connection by pinging a PC on the 172.23.9.0 network from the
10.5.6.0 network. Alternately, pinging the PC from Gateway A, if
successful, will produce the output shown below. Be aware that for a ping
to traverse the tunnel, you must configure an ACL with the host source
and host destination IP addresses.
XSR#ping 172.23.9.5
Type escape sequence to abort
Reply from
172.23.9.5: 20ms
Reply from
172.23.9.5: 10ms