Configure Peer Properties; Configure Parameters For Control Traffic Using Isakmp Policy - Motorola WS5100 Series Migration Giude

Hide thumbs Also See for WS5100 Series:

Cli reference manual (492 pages)

Reference manual (444 pages)

Troubleshooting manual (100 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

Table of Contents

11-4 WS5100 Series Switch Migration Guide

•

Apply Crypto Map Sets to Interfaces

•

Monitor and Maintain IPSec

•

Network Address Translation in IPSec

The following additional configurations are required to configure a remote VPN:

• Configure on-board or external DHCP and provide public IP address to remote VPN clients when static IP

is not being used.

• In authentication data source to use, specify whether to use radius or legacy authentication. If legacy

authentication is specified, then configure local user/password on the switch.

• Configure IP address pools for remote VPN (optional).

Refer

Configuring for Remote VPN Client

11.3.1 Configure Peer Properties

Different peer require different authentication, encryption and security algorithms. Hence WS5100 Series

Wireless Switch supports per peer configuration model.

The following configuration process helps you to specify how peer is authenticated.

1. Use the IP Address of the remote peer you are connecting to. In case of remote VPN, IP address is not

known in advance, use

2. Use shared secret/certificates for IKE Phase-1 device authentication

3. Use an identity to recognize the remote peer. Identity can either be an IP address that is present in the IP

Header source address field or it can be embedded in the certificate.

If certificate is used for authentication, then IP header is present in the server certificate.

If it is not possible to use IP address (in a scenario where remote peer IP address is dynamic) then it is

best to use DN as an identity for the remote peer. This field is present in the Subject field of the

certificate.

4. For example, to create a tunnel to a remote peer

WS5100(config)# crypto isakmp key 12345678 address 10.1.1.103

5. In case of remote VPN, a special IP address of

the same secret key.

WS5100(config)# crypto isakmp key 12345678 address 0.0.0.0

11.3.2 Configure Parameters for Control Traffic using ISAKMP Policy

As already stated IKE automatically negotiates IPSec SA's and enables IPSec secure communications without

costly manual pre-configuration.

Specifically, IKE provides these benefits:

• Eliminates the need to manually specify all the IPSec security parameters in the crypto maps at both

peers.

• Allows you to specify a lifetime for the IKE security association.

• Allows encryption keys to change during IPSec sessions.

• Permits Certification Authority (CA) support for a manageable, scalable IPSec implementation.

• Allows dynamic authentication of peers.

for more details.

as wildcard.

0.0.0.0

10.1.1.103

0.0.0.0

using pre-shared key, use

is used to specify that all remote peers share

Table of Contents

Configure Peer Properties; Configure Parameters For Control Traffic Using Isakmp Policy - Motorola WS5100 Series Migration Giude

11.3.1 Configure Peer Properties

11.3.2 Configure Parameters for Control Traffic using ISAKMP Policy

Related Manuals for Motorola WS5100 Series

Related Content for Motorola WS5100 Series

Table of Contents