Apply Crypto Map Sets To Interfaces; Monitor And Maintain Ipsec; Network Address Translation In Ipsec - Motorola WS5100 Series Migration Giude

Hide thumbs Also See for WS5100 Series:

Cli reference manual (492 pages)

Reference manual (444 pages)

Troubleshooting manual (100 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

Table of Contents

11-12 WS5100 Series Switch Migration Guide

4. Create an Extended ACL.

WS5100(config)#ip access-list extended 101

Configure the local subnet and the remote subnet to allow IP Sec traffic between them.

WS5100(config-ext-nacl)# permit ip 10.1.1.0/24 any

WS5100(config-ext-nacl)# permit ip 192.168.0.0/24 any

5. Specify dynamic crypto map. Use the keyword

crypto map is for remote VPN.

WS5100(config)# crypto map anurag 30 ipsec-isakmp dynamic

WS5100(config-crypto-map)# set peer 0.0.0.0

WS5100(config-crypto-map)# match address 102

WS5100(config-crypto-map)# set transform-set esp3des

6. Specify the remote client type . There are two types of remote clients – Pure IPSec VPN client and

Windows IPSec Client.

• Pure IPSec VPN client — The remote-type should be set to

default, crypto map are set to xauth remote-type.

WS5100(config-crypto-map)#set remote-type xauth

• Windows IPSec Client — Supports IPSec/L2TP protocol

WS5100(config-crypto-map)#set remote-type ipsec-l2tp

NOTE: It is not possible to have both Windows XP and pure IPSec client on the same

subnet. The work-around is to have these clients on different subnets.

11.3.8 Apply Crypto Map Sets to Interfaces

You need to activate a crypto map, it needs to be applied to an interface. This interface is typically the RON/

external/public interface of the switch.Applying the crypto map set to an interface instructs the switch to

evaluate all the interface's traffic against the crypto map set and to use the specified policy during

connection or security association negotiation on behalf of traffic to be protected by crypto.

If no crypto map is applied to an interface, then by default all traffic incoming and outgoing on that interface

is allowed. If a crypto map gets applied and a traffic does not match the ACL, then the traffic is passed in

plaintext packet.

11.3.9 Monitor and Maintain IPSec

Any re-configuration changes will delete exisitng SA's.

11.3.10 Network Address Translation in IPSec

NAT is most often used to convert private address into routable public addresses. With static NAT each

private address maps to one public address. In a dynamic/hide NAT both IP address and Port are mapped,

allowing many privately addressed hosts to share one public IP address. Check sums must be recomputed

and embedded IP addresses carried in application protocols like FTP may be translated. There is a problem

when NAT is applied before IPSec.

dynamic

during crypto map entry. This indicates that this

under crypto map context.By

xauth

Table of Contents

Apply Crypto Map Sets To Interfaces; Monitor And Maintain Ipsec; Network Address Translation In Ipsec - Motorola WS5100 Series Migration Giude

11.3.8 Apply Crypto Map Sets to Interfaces

11.3.9 Monitor and Maintain IPSec

11.3.10 Network Address Translation in IPSec

Related Manuals for Motorola WS5100 Series

Related Content for Motorola WS5100 Series

Table of Contents