Use Case 2: Configuring Site-To-Site Vpn - Motorola RFS Series Reference Manual

5.1.8.2 Use Case 2: Configuring Site-to-Site VPN

Intranets use unregistered addresses connected over the public internet by site-to-site
VPN. In this scenario, NAT is required for the connections to the public internet. However
NAT is not required for traffic between the two intranets, which can be transmitted using
a VPN tunnel over the public Internet.
The site-to-site VPN allows branch office mobility controllers to connect back to the
central office using a secure, encrypted tunnel, for all site-to-site traffic. This allows a
wired LAN in the branch office to bridge directly to the central site while maintaining full
security.
This example requires two switches. It can be configured with the following commands:
1. Configuration required on switch 1:
a.Create an extended ACL. This is used to define the tunnel used by the traffic.
RFSwitch(config)#access-list 150 permit ip 12.1.1.0/24
13.1.1.0/24 rule-precedence
b.Create and configure ISAKMP parameters.
RFSwitch(config)#crypto isakmp keepalive 10
RFSwitch(config)#crypto isakmp key SYMBOLAD address
15.1.1.20
RFSwitch(config)#crypto ipsec security-association lifetime
kilobytes 4608000
c.Create and configure ISAKMP policy.
RFSwitch(config)#crypto isakmp policy 199
RFSwitch(config-crypto-isakmp)#encryption aes
RFSwitch(config-crypto-isakmp)#hash sha
RFSwitch(config-crypto-isakmp)#authentication pre-share
RFSwitch(config-crypto-isakmp)#group 5
RFSwitch(config-crypto-isakmp)#lifetime 9496
d.Create and configure an IPSec transform set.
RFSwitch(config)#crypto ipsec transform-set TFSET ah-sha-
hmac esp-aes
RFSwitch(config-crypto-ipsec)#mode tunnel
e.Create and configure a crypto map.
RFSwitch(config)#crypto map THIRDMAP 435 isakmp
Global Configuration Commands 5-35