Enterasys Security Router X-PeditionTM User Manual page 355

configuration, permit means protect or encrypt, and deny indicates don't encrypt or allow as is.
XSR(config)#access-list 120 permit ip 141.154.196.64 0.0.0.63 63.81.66.0 0.0.0.255
XSR(config)#access-list 130 permit ip 63.81.64.0 0.0.0.255 63.81.66.0 0.0.0.255
XSR(config)#access-list 140 permit ip 63.81.68.0 0.0.0.255 63.81.66.0 0.0.0.255
4. Set up IKE Phase 1 protection by entering the following commands:
XSR(config)#crypto isakmp proposal Test
+
Designates ISAKMP proposal Test and acquires ISAKMP mode
XSR(config-isakmp)#authentication [pre-share | rsa]
+
Selects pre-shared key or certificates rsa-sig
XSR(config-isakmp)#encryption [aes | 3des | des]
+
Chooses encryption algorithm
XSR(config-isakmp)#hash [md5 | sha1]
+
Selects hash algorithm used by IKE
XSR(config-isakmp)#group [1 | 2 | 5]
+
Chooses Diffie-Hellman group
XSR(config-isakmp)#lifetime <seconds>
+
Sets IKE lifetime value
5. Configure IKE policy for the remote peer. Multiple IKE proposals can be configured on each
peer participating in IPSec. When IKE negotiation begins, it tries to find a common proposal
(policy) on both peers with a common proposal containing exactly the same encryption, hash,
authentication, and Diffie-Hellman parameters (lifetime does not necessarily have to match).
XSR(config)#crypto isakmp peer 0.0.0.0 0.0.0.0
+
Configures the IKE peer IP address/subnet and acquires ISAKMP mode
XSR(config-isakmp-peer)#proposal Test
+
Specifies proposal lists test1 and test2
XSR(config-isakmp-peer)#exchange mode [main | aggressive]
+
Selects IKE main mode
XSR(config-isakmp-peer)#nat-traversal [auto | enabled | disabled]
+
Selects NAT traversal setting
6. Create a transform-set which adds the specified encryption/data integrity algorithms, 768-bit
(Group 1) Diffie-Hellman, and your choice of an SA lifetime. You can specify an SA lifetime of
seconds and kilobytes - whichever value runs out first will cause a rekey.
XSR(config)#crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
+
Names transform-set with encryption and data integrity values
XSR(cfg-crypto-tran)#set pfs group1
+
Set PFS group number
XSR(cfg-crypto-tran)#set security-association lifetime [kilobytes | seconds]
+
Sets SA lifetime in either kilobytes or seconds
7. Configure three crypto map Test entries which correlate with specified transform-sets and
ACLs 140, 130 and 120, attach the map to a remote peer, configure an independent SA for each
traffic stream to a host, and select your choice of IPSec mode. Crypto map match statements
render the associated ACLs bi-directional.
XSR(config)#crypto map Test 40
+
Adds crypto map Test, sequence #40
XSR(config-crypto-m)#set transform-set esp-3des-sha
+
Correlates map with the specified transform set
Configuring a Simple VPN Site-to-Site Application
XSR User's Guide 14-33