Table of Contents
Advertisement
EZ-IPSec is invoked using the
standard IPSec policies, relieving you of the complex manual process. It enables dynamic routing
over an IPSec tunnel:
•
Via Client or Network Extension Mode
•
Supporting RIPv2 and OSPF through the tunnel
The security policy automatically created by
ESP using 3DES and AES encryption with SHA-1 and MD5 integrity algorithms. Also, IPSec SA
lifetimes are set to 100 MBytes and 3600 seconds - whichever value is reached first will cause a
rekey.
EZ-IPSec configuration is comprised of two components:
•
Enabling EZ-IPSec security policies and attaching to a network interface using
ezipsec
GigabitEthernet (XSR 3000 Series). Those ports are used when Network Extension Mode is
used.
•
Defining a virtual interface (VPN) in point-to-point mode which initiates a tunnel to a
gateway XSR
EZ-IPSec Configuration
The commands below are used to configure a VPN interface on the XSR. The
command is needed to select the following modes:
Client Mode. The virtual interface (interface vpn #) is assigned an address using Mode
•
Config and an IPSec security policy rule is inserted into the external interface's SPD securing
traffic to and from that address. NATP is enabled on the VPN interface.
•
Network Extension Mode. Same as client mode except NAPT is disabled on the VPN interface
and two crypto map entries are added to the external interface SPD. One rule secures traffic to
the virtual interface's assigned address and the other secures traffic to the trusted network
interface which is assumed to be Fast/GigabitEthernet 1.
The commands below require manual configuration in conjunction with
•
interface vpn [1 -255]
•
ip address negotiated
•
tunnel [Tunnel Name]
•
set user [username | certificate]
•
set peer [My Remote VPN Server Address]
•
set protocol ipsec [client-mode | network-extension-mode]
For example, configure the following Network Extension Mode tunnel:
XSR(config)#interface vpn 1 point-to-point
+
Sets VPN interface 1 to initiate a tunnel connection and acquires VPN interface mode. You must always set a Point-
to-Point tunnel at the remote site and Point-to-Multipoint tunnel at the central site
XSR(config-int-vpn)#ip address negotiated
+
Asks for dynamic virtual IP address assignment of this VPN interface by its peer
XSR(config-int-vpn)#tunnel Corporate
+
Names the site-to-site tunnel Corporate
XSR(config-tms-tunnel)#set user My_Remote_site
+
Indicates a pre-share key is being used. You must add an EZ-IPSec tunnel using the password of this user in
the AAA database
crypto ezipsec
configured on any interface other than FastEthernet (XSR 1800 Series)/
command in Interface mode to create a set of
crypto ezipsec
specifies transform-sets for IPSec
Configuring the VPN Using EZ-IPSec
crypto
set protocol
crypto ezipsec
:
XSR User's Guide 14-35
Advertisement
Table of Contents
Troubleshooting
