Binding All Parameters To A Remote Peer Using Crypto Map - Motorola WS5100 Series Migration Giude

Hide thumbs Also See for WS5100 Series:

Cli reference manual (492 pages)

Reference manual (444 pages)

Troubleshooting manual (100 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

Table of Contents

Follow the CLI commands mentioned below, to configure IPSec traffic between local subnet 10.1.1.0/24 and

remote subnet 192.168.0/24.

1. Create an Extended ACL

WS5100(config)#ip access-list extended 101

2. Configure the local subnet and the remote subnet to allow IP Sec traffic between them.

WS5100(config-ext-nacl)# permit ip 10.1.1.0/24 192.168.0/24

To establish an IPSec, the local subnet must always appear before remote subnet.

CAUTION: Using

inaccessible via telnet/ssh and also site-site does not work. Hence, this should not be

used.

For more details on configuring ACLs, refer to

11.3.5 Binding all Parameters to a Remote Peer using Crypto Map

Use crypto-map entries to configure IPSec SA's. Create one map entry for every remote peer. Crypto map

entries created for IPSec extract various parts used to set up IPSec security associations, including:

• Crypto access list defines what traffic should be protected and what traffic should not be protected. For

example an access list can be created to protect traffic between Subnet A and Subnet Y or between Host

A and Host B. The particular crypto map entry will reference the specific access list that defines whether

IPSec processing is to be applied to the traffic matching the permit in the access list.

• Where IPSec-protected traffic should be sent (who the remote IPSec peer is)

• The local address to be used for the IPSec traffic (this is determined automatically) when the crypto map

is applied on an interface.

• What IPSec security and algorithms should be applied to this traffic (selecting transform set)

• How security associations are established - manually or via IKE

• If IKE is not used, then manual keys needs to be specified

• The lifetime of the data connections.

• Whether client configuration mode is for remote VPN or site-to-site VPN. If the configuration is for

remote VPN, then specify whether the client uses IPSec L2TP (used with Windows VPN) or X-auth.

• A crypto map set consists of multiple crypto map entries.

The policy described in the crypto map entries is used during the negotiation of security associations. For

IPSec to succeed between two IPSec peers, both peers' crypto map entries must contain compatible

configuration statements.

as both

source

and

any any

Configuring ACL using CLI

destination

subnet renders the box

11-9

VPN

Table of Contents

Binding All Parameters To A Remote Peer Using Crypto Map - Motorola WS5100 Series Migration Giude

11.3.5 Binding all Parameters to a Remote Peer using Crypto Map

Related Manuals for Motorola WS5100 Series

Related Content for Motorola WS5100 Series

Table of Contents