Table of Contents
Advertisement
•
Main mode
•
Triple DES
•
SHA-1
•
MODP group 2 (1024 bits)
•
Pre-shared secret of "hr5xb84l6aa9r6"
•
SA lifetime of 28800 seconds (eight hours) with no Kbytes rekeying
The IKE Phase 2 parameters used in Scenario 1 are:
•
Triple DES
•
SHA-1
•
ESP tunnel mode
•
MODP group 2 (1024 bits)
•
Perfect forward secrecy for rekeying
•
SA lifetime of 3600 seconds (one hour) with no Kbytes rekeying
•
Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4
subnets
This configuration assumes you have already set up the XSR for basic operations (refer to the XSR
Getting Started Guide). Also, you should have generated a master key (see the XSR User Guide). To
set up Gateway A for this scenario, perform the following steps on the CLI:
1.
Configure the Gateway A internal LAN network (AL):
XSR(config)#interface FastEthernet1
XSR(config-if<F1>)#no shutdown
XSR(config-if<F1>)#ip address 10.5.6.1 255.255.255.0
2.
Configure the Gateway A external LAN network (AW):
XSR(config)#interface FastEthernet2
XSR(config-if<F1>)#no shutdown
XSR(config-if<F1>)#ip address 14.15.16.17 255.255.255.0
3.
Configure a simple, wide-open access list to permit all traffic from the source to the
destination network:
XSR(config)#access-list 101 permit ip 10.5.6.0 0.0.0.255 172.23.9.0 0.0.0.255
4.
Configure a default route:
XSR(config)#ip route 0.0.0.0 0.0.0.0 14.15.16.1
5.
Configure IKE Phase 1 policy:
XSR(config)#crypto isakmp proposal Safe
XSR(config-isakmp)#authentication pre-share
XSR(config-isakmp)#encryption 3des
XSR(config-isakmp)#hash sha
XSR(config-isakmp)#group 2
XSR(config-isakmp)#lifetime 28800
6.
Configure IKE policy Safe for the Gateway B remote peer. Optionally, multiple IKE proposals
can be configured on each peer participating in IPSec.
XSR(config)#crypto isakmp peer 22.23.24.25 255.255.255.255
XSR(config-isakmp-peer)#proposal Safe
Interoperability Profile for the XSR
XSR User's Guide 14-47
Advertisement
Table of Contents
Troubleshooting
