Enterasys X-Pedition XSR-3150 Getting Started Manual page 73

Figure 3-6
GigabitEthernet 1: 172.16.10/24
GigabitEthernet 2: 26.26.26.10/24
Virtual IP Pool: 172.16.10.0/24
SE CU
RIT Y RO
UT ER
S
PO 10/ 100
WE R BT
SY AC
S T 10/
VP N 100 BT
ET AC
HE RN T
PO RT ET
1
ET HE
PO RN
RT ET 2 CO
NS OL
E
NIM 1
NIM
2
XSR
172.16.10.0
The following script configures the VPN topology shown in
If you have not already generated a master encryption key, you must do so now to configure the
VPN. A master key need only be generated once.
Caution: The master encryption key is stored in hardware, not Flash, and you cannot read the
key - only overwrite the old key by writing a new one. To ensure router security, it is critical not to
compromise the key. There are situations where you may want to keep the key, for example, to
save the user database off-line in order to later download it to the XSR. In order to encrypt the
user database, you need the same master key, indicating the key designation with the master key
specify command. Be aware that if the XSR is inoperable you may have to return to factory
defaults, which erases the master key forcing you to generate a new one.
Generate the master key. Refer to the following sample key:
XSR(config)#crypto key master generate
New key is 2173 4521 3764 2ff5
163b 4bdf fe92 dbc1
1232 ffe0 f8d9 3649
Apply the following ACLs to the public interface of the XSR before creating the VPN
configuration. These ACLs are applied only to an XSR configured to terminate Network Extension
Mode (NEM) tunnels initiated from ANG-1100s. These ACLs allow all outbound IP traffic and
established inbound TCP traffic and employ well-known protocol numbers for IKE UDP (500) and
ICMP to and from the public interface (if preferred).
XSR(config)#access-list 1 deny 26.26.26.0 0.0.0.255
XSR(config)#access-list 1 permit any
XSR(config)#access-list 110 permit udp any any eq 500
XSR(config)#access-list 110 permit icmp any host 26.26.26.10
XSR(config)#access-list 110 deny ip any any
XSR(config)#access-list 111 permit udp any any eq 500
XSR(config)#access-list 111 permit icmp host 26.26.26.10 any
XSR(config)#access-list 111 deny ip any any
XSR(config)#interface gigabitethernet 2
XSR(config-if<F2>)#ip access-group 110 in
XSR(config-if<F2>)#ip access-group 111 out
Enable Network Address Translation:
XSR(config-if<F2>)#ip nat source assigned overload
VPN Topology with NEM, EZ-IPSec and Internet Access
26.26.26.0/24
VPN Sample Configuration with Network Extension Mode
eth0: 10.11.11.1/24
eth1: 26.26.26.11/24
SEC
URIT Y ROU
XSR TERS
-18 50
10/10
POW ER 0BT
SYS ACT 10/10
VPN 0BT
ETHE RNE ACT
POR T 1 T
ETHE RNE
POR T 2 CON T
SOLE
NIM 1 NIM
2
XSR
eth0: 10.12.12.1/24
eth1: 26.26.26.12/24
SEC URIT
XSR Y ROU
-18 TERS 50
POW ER 10/10 0BT
SYS ACT
VPN 10/10 0BT
ETHE ACT
POR T 1 RNE T
ETHE
T 2 RNE POR T CON
SOLE
NIM 1
NIM 2
XSR
Figure 3-6.
XSR Getting Started Guide 3-31