ADTRAN AOS Version R10.1.0 Command Reference Manual page 921

Command Reference Guide Global Configuration Mode Command Set
Technology Review
The following example configures an AOS product for virtual private network (VPN) using IKE aggressive
mode with preshared keys (PSKs). The AOS product can be set to initiate IKE negotiation in main mode or
aggressive mode. The product can be set to respond to IKE negotiation in main mode, aggressive mode,
or any mode. In this example, the device is configured to initiate in aggressive mode and to respond to any
mode.
This example assumes that the AOS product has been configured with a wide area network (WAN) IP
address of 63.97.45.57 on interface ppp 1 and a local area network (LAN) IP address of 10.10.10.254 on
interface ethernet 0/1. The peer private IP Subnet is 10.10.20.0.
For more detailed information on VPN configuration, refer to the VPN configuration guide located on the
AOS Documentation CD provided with your product.
Step 1:
Enter the Global Configuration mode (i.e., config terminal mode).
>enable
#configure terminal
Step 2:
Enable VPN support using the ip crypto command. This command allows crypto maps to be applied to
interfaces, and enables the IKE server to listen for IKE negotiation sessions on User Datagram Protocol
(UDP) port 500.
(config)#ip crypto
Step 3:
Set the local ID. During IKE negotiation, local IDs are exchanged between the local device and the peer
device. In AOS, the default setting for all local IDs are configured by the crypto ike local-id command.
The default setting is for all local IDs to be the IPv4 address of the interface over which the IKE negotiation
is occurring. In the future, a unique system-wide host name or fully qualified domain name (FQDN) could
be used for all IKE negotiation.
(config)#crypto ike local-id address
Step 4:
Create IKE policy. In order to use IKE negotiation, an IKE policy must be created. Within the system, a list
of IKE policies is maintained. Each IKE policy is given a priority number in the system. That priority number
defines the position of that IKE policy within the system list. When IKE negotiation is needed, the system
searches through the list, starting with the policy with priority of 1, looking for a match to the peer IP
address.
An individual IKE policy can override the system local ID setting by having the local-id command specified
in the IKE policy definition. This command in the IKE policy is used to specify the type of local ID and the
local ID data. The type can be of IPv4 address, FQDN, or user-specified FQDN.
60000CRG0-35E Copyright © 2012 ADTRAN, Inc. 921