Table of Contents
Advertisement
Figure 14-12
Branch Office
EZ-IPSec client
FastEthernet 1
172.16.1.1
Begin by setting the XSR system time via SNTP. This configuration is critical for XSRs which use
time-sensitive certificates.
XSR(config)#sntp-client server 10.120.84.3
XSR(config)#sntp-client poll-interval 60
Add ACLs to permit IP and UDP traffic:
XSR(config)#access-list 130 permit udp any any eq 500
XSR(config)#access-list 130 permit gre any any
XSR(config)#access-list 130 permit tcp any any est
XSR(config)#access-list 130 permit tcp any any eq 1723
XSR(config)#access-list 130 deny ip any any
Add ACLs for IP local pool/EZ-IPSec, Network Extension address and L2TP:
XSR(config)#access-list 110 permit ip any 10.120.70.0 0.0.0.255
XSR(config)#access-list 120 permit udp any any eq 1701
XSR(config)#access-list 140 permit ip any 172.16.1.0 0.0.0.255
XSR(config)#access-list 150 permit ip any 192.168.111.0 0.0.0.255
Define IKE Phase I security parameters with the following two policies:
XSR(config)#crypto isakmp proposal xp-soho
XSR(config-isakmp)#hash md5
XSR(config-isakmp)#lifetime 50000
XSR(config)#crypto isakmp proposal p2p
XSR(config-isakmp)#authentication pre-share
XSR(config-isakmp)#lifetime 50000
Configure IKE policy for the remote peer:
XSR(config)#crypto isakmp peer 0.0.0.0 0.0.0.0
XSR(config-isakmp-peer)#proposal xp-soho p2p
XSR(config-isakmp-peer)#config-mode gateway
XSR(config-isakmp-peer)#nat-traversal automatic
Configure the following four IPSec SAs:
XSR(config)#crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
XSR(cfg-crypto-tran)#no set security-association lifetime kilobytes
EZ-IPSec Client, XP Client and Gateway Topology
PPPoE
Internet
interface
XSR
RoboPez
Remote Access
Windows XP - L2TP/IPSec or PPTP Client
Configuration Examples
Central Site
Terminates EZ-IPSec Client Mode
Terminates L2TP/IPSec clients
FastEthernet 2
141.154.196.87
CA server
FastEthernet 1
10.120.112.6
XSR User's Guide 14-37
XSR
Robo6
Advertisement
Table of Contents
Troubleshooting
