Manualshelf

Command Reference Guide

ManualsBrandsHP ManualsRoutersHP 7000 dl Router Series
221222223224225226227228229230
SROS Command Line Interface Reference Guide Global Configuration Mode Command Set
5991-2114 © Copyright 2005 Hewlett-Packard Development Company, L.P. 224
This example assumes that the Secure Router OS product has been configured with a WAN IP Address of
63.97.45.57 on interface ppp 1 and a LAN IP Address of 10.10.10.254 on interface ethernet 0/1. The Peer
Private IP Subnet is 10.10.20.0.
For more detailed information on VPN configuration, refer to the
VPN
Configuration Guide located on the
Secure Router OS Documentation CD provided with your unit.
Step 1:
Enter the Global configuration mode (i.e., config terminal mode).
>enable
#configure terminal
Step 2:
Enable VPN support using the ip crypto command. This command allows crypto maps to be applied to
interfaces, and enables the IKE server to listen for IKE negotiation sessions on UDP port 500.
(config)#ip crypto
Step 3:
Set the local ID. During IKE negotiation, local-ids are exchanged between the local device and the peer
device. In the Secure Router OS, the default setting for all local-ids is configured by the crypto ike
local-id command. The default setting is for all local-ids to be the IPv4 address of the interface over which
the IKE negotiation is occurring. In the future, a unique system-wide Hostname or Fully Qualified Domain
Name could be used for all IKE negotiation.
(config)#crypto ike local-id address
Step 4:
Create IKE policy. In order to use IKE negotiation, an IKE policy must be created. Within the system, a list
of IKE policies is maintained. Each IKE policy is given a priority number in the system. That priority
number defines the position of that IKE policy within the system list. When IKE negotiation is needed, the
system searches through the list, starting with the policy with priority of 1, looking for a match to the peer IP
address.
An individual IKE policy can override the system local-id setting by having the local-id command specified
in the IKE policy definition. This command in the IKE policy is used to specify the type of local-id and the
local-id data. The type can be of IPv4 address, Fully Qualified Domain Name, or User-Specified Fully
Qualified Domain Name.
An IKE policy may specify one or more peer IP addresses that will be allowed to connect to this system. To
specify multiple unique peer IP addresses, the peer A.B.C.D command is used multiple times within a
single IKE policy. To specify that all possible peers can use a default IKE policy, the peer any command is
given instead of the peer A.B.C.D command inside of the IKE policy. The policy with the peer any
command specified will match to any peer IP address (and therefore should be given the highest numerical
priority number). This will make the policy the last one to be compared against during IKE negotiation.