User`s guide
290 XSR User’s Guide
Interoperability Profile for the XSR Chapter 11
Configuring the Virtual Private Network
Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway
B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN
interface address, 172.23.9.1, can be used for testing IPsec but is not needed
for configuring Gateway A.
The IKE Phase 1 parameters used in Scenario 2 are:
Main mode
Triple DES
SHA-1
MODP group 2 (1024 bits)
SA lifetime of 28800 seconds (eight hours) with no Kbytes rekeying
The IKE Phase 2 parameters used in Scenario 2 are:
Triple DES
SHA-1
ESP tunnel mode
MODP group 2 (1024 bits)
Perfect forward secrecy for rekeying
SA lifetime of 3600 seconds (one hour) with no Kbytes rekeying
Selectors for all IP protocols, all ports, between 10.5.6.0/24 and
172.23.9.0/24, using IPv4 subnets
This configuration assumes you have already set up the XSR for basic
operations (refer to the XSR Getting Started Guide). Also, you should have
generated a master key (see the XSR User Guide). To set up Gateway A for this
scenario, perform the same steps as you would perform in Scenario 1, with
one exception.
In Step 5, for authentication, select RSA signatures as follows:
XSR(config-isakmp)#authentication rsa-sig
After completing all 11 steps to configure the VPN, obtain a Root CA and
personal certificate for this scenario by performing the following steps:
1
Begin by asking your CA administrator for your CA name and URL. The
CA’s URL defines its IP address, path and default port (80). You can
resolve the CA server address manually by pinging its IP address.