Traffic Secured In Vpn; Configuring Vpn Using Cli - Motorola WS5100 Series Migration Giude

Hide thumbs Also See for WS5100 Series:

Cli reference manual (492 pages)

Reference manual (444 pages)

Troubleshooting manual (100 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

Table of Contents

The concept of crypto-map entries is used to configure IPSec security associations. Crypto map entries

created for IPSec pull together the various parts used to set up IPSec security associations. Crypto map

entries also include transform sets. A transform set is an acceptable combination of security protocols,

algorithms and other settings to apply to IPSec protected traffic.

The Internet Key Exchange (IKE) protocol automatically negotiates IPSec SA's and enables IPSec secure

communications without manual pre-configuration.

11.2.1 Traffic Secured in VPN

VPN is used to provide secure access between two subnet separated by an unsecured network. The WS5100

switch can be used to configure:

• Site -to-Site VPN — This might be for example one company branch office traffic to another branch office

traffic with an unsecured link in between.

• Remote VPN — This gives remote user ability to access their company resources from outside the

company premises.

IPSec VPN manages two types of traffic:

1. Control Traffic — This negotiates what type of encryption, authentication and group key algorithms

should used for data traffic. This is referred to as IKE negotiation. There are two phases in IKE

negotiation:

• Phase 1 – Is used for device authentication and negotiates IKE parameters to be used at local and

remote peer.

• Phase 2 – Negotiates what security algorithms, encryption and authentication algorithms should be

used for data traffic.

Phase-1 (IKE exchange) happens in plaintext and Phase-2 generally happens in encrypted traffic. In VPN

terminology, tunnel established for control traffic is referred to as IKE SA.

NOTE: In addition to the above phases, there is a sub-phase between IKE Phase-1 and IKE

Phase-2 that is referred to as

scenario and is used to authenticate remote client and assign private IP pool to the

clients.

2. Data Traffic — The tunnel usually consists of two SA for data traffic, one in each direction. The

encryption, security algorithms, authentication, key group to use for data traffic is negotiated between

two peers in IKE Phase 2.

11.3 Configuring VPN using CLI

Execute the following steps to configure IPSec VPN functionality on the WS5100 switch:

•

Configure Peer Properties

•

Configure Parameters for Control Traffic using ISAKMP Policy

•

Security Parameters for Data Traffic using Transform Set

•

Specifying Traffic to Protect using Crypto ACL

•

Binding all Parameters to a Remote Peer using Crypto Map

•

Activating IPSec to a Remote Peer

•

Configuring for Remote VPN Client

mode

config. This is used only in case of remote VPN

11-3

VPN

Table of Contents

Traffic Secured In Vpn; Configuring Vpn Using Cli - Motorola WS5100 Series Migration Giude

11.2.1 Traffic Secured in VPN

11.3 Configuring VPN using CLI

Related Manuals for Motorola WS5100 Series

Related Content for Motorola WS5100 Series

Table of Contents