Cisco CRS-1 - Carrier Routing System Router Configuration Manual page 153

Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software
!
isakmp authorization list author-net-local
!
crypto ipsec transform-set tsfm3
!
crypto ipsec profile ipsec-prof-ezvpn
Cisco Easy VPN is supported only on the Cisco XR 12000 Series Router.
Note
Configuring Cisco Easy VPN with a Remote AAA-Method Server: Example
On the remote AAA server, system administrators configures two lists, one for authentication and
another for authorization.
Also required are the location of the remote AAA server and the administrator login password needed
for access.
List names, as defined in the remote AAA-method server, must be added to the crypto ISAKMP profile.
In all other respects, configuration for a remote AAA-method server is the same as for a local
AAA-method server. (See also
Example, page
aaa group server radius free_radius
server-private 8.0.0.5 auth-port 1812 acct-port 1813
key 7 094F471A1A0A
!
!
aaa authorization network banana group free_radius
aaa authentication login banana group free_radius
local pool
ipv4 localpool1000 17.1.1.1 17.1.1.250
!
ipv4 access-list remote_list
10 permit ipv4 any any
!
interface GigabitEthernet0/0/0/CPU0:router(config-isakmp)#1
ipv4 address 2.0.0.2 255.255.255.0
!
interface GigabitEthernet0/0/0/2
ipv4 address 8.0.0.2 255.255.255.0
!
interface service-ipsec1000
ipv4 address 50.0.0.1 255.255.255.0
profile vrf1000-prof-ipsec
tunnel source 20.0.1.1
service-location preferred-active 0/0/1
!
crypto isakmp
crypto isakmp policy 10
authentication pre-share
group 2
encryption 3des
lifetime 100
!
crypto isakmp profile vrf1000-ra
aaa attribute-priority authorization
OL-20382-01
transform esp-3des esp-sha-hmac
set type dynamic
match acl-3 transform-set tsfm3
reverse-route
146.)
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
Configuration Examples for Implementing IKE Security Protocol
Configuring Cisco Easy VPN with a Local AAA-Method Server:
SC-147