ADTRAN Stub Routing Dokumentacja Pobierz pdf (Strona 152)

Global Configuration Mode Command Set Command Reference Guide

(config)#crypto ike policy 10

(config-ike)#no local-id

(config-ike)#peer 192.168.1.2

(config-ike)#initiate aggressive

(config-ike)#respond anymode

(config-ike)#attribute 10

(config-ike-attribute)#encryption 3des

(config-ike-attribute)#hash sha

(config-ike-attribute)#authentication pre-share

(config-ike-attribute)#group 1

(config-ike-attribute)#lifetime 900

Step 5:

Define the remote-id settings. The

crypto ike remote-id

command is used to define the remote-id for a peer

connecting to the system, specify the preshared-key associated with the specific remote-id, and (optionally)

determine that the peer matching this remote-id should not use mode config (by using the

no-mode-config

keyword). See

crypto ike remote-id

on page 154 for more information.

(config)#crypto ike remote-id address 192.168.1.2 preshared-key

mysecret123

Step 6:

Define the transform-set. A transform-set defines the encryption and/or authentication algorithms to be used to

secure the data transmitted over the VPN tunnel. Multiple transform-sets may be defined in a system. Once a

transform-set is defined, many different crypto maps within the system can reference it. In this example, a

transform-set named

highly_secure

has been created. This transform-set defines ESP with Authentication

implemented using 3DES encryption and SHA1 authentication.

(config)#crypto ipsec transform-set highly_secure esp-3des esp-sha-hmac

(cfg-crypto-trans)#mode tunnel

Step 7:

Define an ip-access list. An Extended Access Control List is used to specify which traffic needs to be sent

securely over the VPN tunnel. The entries in the list are defined with respect to the local system. The source

IP address will be the source of the traffic to be encrypted. The destination IP address will be the receiver of

the data on the other side of the VPN tunnel.

(config)#ip access-list extended corporate_traffic

(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 log

deny ip any any

Step 8:

Create crypto map. A Crypto Map is used to define a set of encryption schemes to be used for a given

interface. A crypto map entry has a unique index within the crypto map set. The crypto map entry will specify

whether IKE is used to generate encryption keys or if manually specified keys will be used. The crypto map

entry will also specify who will be terminating the VPN tunnel, as well as which transform-set or sets will be

used to encrypt and/or authenticate the traffic on that VPN tunnel. It also specifies the lifetime of all created

IPSec Security Associations.

(config)#crypto map corporate_vpn 1 ipsec-ike

(config-crypto-map)#match address corporate_traffic

(config-crypto-map)#set peer 192.168.1.2

(config-crypto-map)#set transform-set highly_secure

(config-crypto-map)#set security-association lifetime kilobytes 8000

(config-crypto-map)#set security-association lifetime seconds 86400

(config-crypto-map)#no set pfs

Technology Review (Continued)

1 2 ... 147 148 149 150 151 152 153 154 155 156 157 ... 567 568

ADTRAN Stub Routing Dokumentacja Strona 152

Komentarze do niniejszej Instrukcji

ADTRAN Stub Routing Dokumentacja Strona 152

Komentarze do niniejszej Instrukcji

Powiązane produkty i podręczniki dla Networking ADTRAN Stub Routing