Table of Contents
Advertisement
Interoperability Profile for the XSR
XSR(config)#crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac
XSR(cfg-crypto-tran)#set pfs group2
XSR(cfg-crypto-tran)#no set security-association life kilo
XSR(cfg-crypto-tran)#set security-association life secon 700
XSR(config)#crypto map test 20
XSR(config-crypto-m)#set transform-set esp-des-md5
XSR(config-crypto-m)#match address 120
XSR(config-crypto-m)#set peer 192.168.2.5
XSR(config-crypto-m)#mode tunnel
XSR(config)#interface fastethernet 1
XSR(config-if<F1>)#no shutdown
XSR(config-if<F1>)#ip address 192.168.1.2 255.255.255.0
XSR(config)#interface fastethernet 2
XSR(config-if<F2>)#crypto map test
XSR(config-if<F2>)#no shutdown
XSR(config-if<F2>)#ip address 192.168.2.2 255.255.255.0
XSR(config)#ip route 192.168.3.0 255.255.255.0 192.168.2.5
XSR(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.1
XSR(config)#snmp-server disable
Interoperability Profile for the XSR
Scenario 1: Gateway-to-Gateway with Pre-Shared Secrets
This section describes how to configure the XSR according to the VPN Consortium's
interoperability scenarios (http://www.vpnc.org/). The following is a typical gateway-to-
gateway VPN that uses a pre-shared secret for authentication, as illustrated in
Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has
the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17.
Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet)
interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used
for testing IPsec but is not needed for configuring Gateway A.
The IKE Phase 1 parameters used in Scenario 1 are:
14-46 Configuring the Virtual Private Network
Figure 14-13
Gateway-to Gateway with Pre-Shared Secrets Topology
10.5.6.0/24
Gateway A
AL
10.5.6.1
Internet
AW
14.15.16.17
Figure
14-13.
172.23.9.0/24
Gateway B
BW
BL
22.23.24.25
172.23.9.1
Advertisement
Table of Contents
Troubleshooting
