Enterasys Security Router X-PeditionTM User Manual page 363

XSR(config-isakmp-peer)#proposal shared
4. Configure a set of three IPSec quick mode security parameters that the XSR-3000 is willing to
negotiate to within the IKE conversation:
XSR(config)#crypto ipsec transform-set aes-md5 esp-aes esp-md5-hmac
XSR(cfg-crypto-tran)#set security-association lifetime kilobytes 25000
XSR(cfg-crypto-tran)#set security-association lifetime seconds 7200
XSR(config)#crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
XSR(cfg-crypto-tran)#set security-association lifetime kilobytes 25000
XSR(cfg-crypto-tran)#set security-association lifetime seconds 7200
XSR(cfg-crypto-tran)#crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
XSR(cfg-crypto-tran)#set security-association lifetime kilobytes 25000
XSR(cfg-crypto-tran)#set security-association lifetime seconds 7200
5. Create crypto map gre allowing IPSec transport mode traffic matching the GRE ACL created
above. The crypto map also allows the use of any of the three IPSec security parameters (aes-
md5, 3des-md5, 3des-sha) created above. Be aware that the peer address is set to the public
Internet address terminating the GRE tunnel.
XSR(config)#crypto map gre 190
XSR(config-crypto-m)#set transform-set aes-md5 3des-md5 3des-sha
XSR(config-crypto-m)#match address 190
XSR(config-crypto-m)#set peer 63.81.64.200
XSR(config-crypto-m)#mode transport
XSR(config-crypto-m)#set security-association level per-host
6. Add GigabitEthernet interface 1 as the trusted or private VPN interface - it is connected to the
corporate network. Enable OSPF on this interface to join the corporate OSPF routing fabric.
XSR(config)#interface GigabitEthernet 1
XSR(config-if<G1>)#ip address 10.120.84.21 255.255.255.0
XSR(config-if<G1>)#ip ospf dead-interval 4
XSR(config-if<G1>)#ip ospf hello-interval 1
XSR(config-if<G1>)#no shutdown
7. Add GigabitEthernet interface 2 as the external or public VPN interface - it is directly connected
to the Internet. Attach crypto map gre to this interface to allow IKE and IPSec traffic
processing.
XSR(config)#interface GigabitEthernet 2
XSR(config-if<G2>)#crypto map gre
XSR(config-if<G2>)#ip address 63.81.64.100 255.255.255.0
XSR(config-if<G2>)#no shutdown
8. Add a VPN point-to-point GRE interface, enable XSR1800 to initiate an outbound tunnel (
active command), set the IP address of the remote VPN gateway (63.81.64.200), and redirect
all multicast packets to a unicast address:
XSR(config)#interface vpn1 point-to-point
XSR(config-int-vpn)#ip multicast-redirect 192.168.1.1
XSR(config-int-vpn)#tunnel "XSR1800"
XSR(config-tms-tunnel)#set protocol gre
XSR(config-tms-tunnel)#set active
XSR(config-tms-tunnel)#set peer 63.81.64.200
XSR(config-tms-tunnel)#ip address 192.168.1.2 255.255.255.0
Configuration Examples
set
XSR User's Guide 14-41