История страницы

1

Create a VTI tunnel and switch to its configuration mode.

esr(config)# tunnel vti <TUN>

<TUN> – device tunnel name.

2

Specify the local IP address of the VTI tunnel.

esr(config-vti)#local address <ADDR>

<ADDR> – IP address of a local gateway.

3

Specify the remote IP address of the VTI tunnel.

esr(config-vti)#remote address <ADDR>

<ADDR> – IP address of a remote gateway.

4

Specify the IP address of the VTI tunnel local side.

esr(config-vti)# ip address <ADDR/LEN>

<ADDR/LEN> – IP address and prefix of a subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].

5

Include the VTI tunnel in a security zone and configure interaction rules between zones or disable firewall for VTI tunnel.

esr(config-vti)# security-zone<NAME>

<NAME> – security zone name, set by the string of up to 12 characters.

esr(config-vti)# ip firewall disable

6

Enable the tunnel.

esr(config-vti)#enable

7

Create an IKE profile and switch to its configuration mode.

esr(config)# security ike proposal <NAME>

<NAME> – IKE protocol name, set by the string of up to 31 characters.

8

Specify the description of the configured IKE profile (optional).

esr(config-ike-proposal)# description<DESCRIPTION>

<DESCRIPTION> – tunnel description, set by the string of up to 255 characters.

9

Specify IKE authentication algorithm (optional).

esr(config-ike-proposal)# authentication algorithm <ALGORITHM>

<ALGORITHM> – authentication algorithm, takes values of: md5, sha1, sha2-256, sha2‑384, sha2-512.

Default value: sha1.

10

Specify IKE encryption algorithm (optional).

esr(config-ike-proposal)# encryption algorithm <ALGORITHM>

<ALGORITHM> – encryption protocol, takes the following values: des, 3des, blowfish128, blowfish192, blowfish256, aes128, aes192, aes256, aes128ctr, aes192ctr, aes256ctr, camellia128, camellia192, camellia256.

Default value: 3des.

11

Define Diffie-Hellman group number (optional).

esr(config-ike-proposal)# dh-group <DH-GROUP>

<DH-GROUP> – Diffie-Hellman group number, takes values of [1, 2, 5, 14, 15, 16, 17, 18].

Default value: 1.

12

Specify IKE authentication mode (optional)

esr(config-ike-proposal)# authentication method <METHOD>

<METHOD> – key authentication method. May take the following values:

• pre-shared-key – authentication method using pre-received encryption keys;
• rsa-public-key – authentication method using RSA certificate.

Default value: pre-shared-key.

13

Create an IKE policy and switch to its configuration mode.

esr(config)# security ike policy <NAME>

<NAME> – IKE policy name, set by the string of up to 31 characters.

14

Specify the lifetime of IKE protocol connection (optional).

esr(config-ike-proposal)# lifetime seconds <SEC>

<SEC> – time interval, takes values of [4..86400] seconds.

Default value: 3600.

15

Bind IKE profile to IKE policy.

esr(config-ike-policy)# proposal <NAME>

<NAME> – IKE protocol name, set by the string of up to 31 characters.

16

Specify authentication key (mandatory if pre-shared-key is selected as authentication mode)

esr(config-ike-policy)# pre-shared-key ascii-text<TEXT>

<TEXT> –  string [1..64] ASCII characters.

17

Create an IKE gateway and switch to its configuration mode.

esr(config)# security ike gateway <NAME>

<NAME> – IKE protocol gateway name, set by the string of up to 31 characters.

18

Bind IKE policy to IKE gateway.

esr(config-ike-gw)# ike-policy <NAME>

<NAME> – IKE protocol policy name, set by the string of up to 31 characters.

19

Specify IKE version (optional).

esr(config-ike-gw)# version <VERSION>

<version> – IKE protocol version: v1-only or v2-only.

Default value: v1-only.

20

Set the route-based mode.

esr(config-ike-gw)# mode route-based

21

Specify the action for

DPD (optional).

esr(config-ike-gw)# dead-peer-detection action <MODE>

<MODE> – DPD operation mode:

• restart – connection restarts;
• clear – conection stops;
• hold – connection holds;
• none – the mechanism is disabled, no action is taken.

Default value: none.

22

Specify the interval between sending messages via DPD mechanism (optional).

esr(config-ike-gw)# dead-peer-detection interval <SEC>

<SEC> – interval between sending messages via DPD mechanism, takes values of [1..180] seconds.

Default value: 2.

23

Specify the time period of response to DPD mechanism messages (optional).

esr(config-ike-gw)# dead-peer-detection timeout <SEC>

<SEC> –  time interval of response to DPD mechanism messages, takes values of [1..180] seconds.

Default value: 30 seconds.

24

Bind VTI tunnel to IKE gateway.

esr(config-ike-gw)# bind-interface vti <VTI>

<VTI> – VTI ID.

25

Create IPsec profile.

esr(config)# security ipsec proposal <NAME>

<NAME> – IPsec protocol profile name, set by the string of up to 31 characters.

26

Specify IPsec authentication algorithm (optional).

esr(config-ipsec-proposal)# authentication algorithm <ALGORITHM>

<ALGORITHM> – authentication algorithm, takes values of: md5, sha1, sha2-256, sha2‑384, sha2-512.

Default value: sha1.

27

Specify IPsec encryption algorithm (route).

esr(config-ipsec-proposal)# encryption algorithm <ALGORITHM>

<ALGORITHM> – encryption protocol, takes the following values: des, 3des, blowfish128, blowfish192, blowfish256, aes128, aes192, aes256, aes128ctr, aes192ctr, aes256ctr, camellia128, camellia192, camellia256.

Default value: 3des.

28

Specify encapsulation protocol for IPsec (optional).

esr(config-ipsec-proposal)# protocol <PROTOCOL>

<PROTOCOL> – encapsulation protocol, takes the following values:

Default value: esp.

29

Create an IPsec policy and switch to its configuration mode.

esr(config)# security ipsec policy <NAME>

<NAME> – IPsec policy name, set by the string of up to 31 characters.

30

Bind IPsec profile to IPsec policy.

esr(config-ipsec-policy)# proposal <NAME>

<NAME> – IPsec protocol profile name, set by the string of up to 31 characters.

31

Specify the lifetime of IPsec tunnel (optional).

esr(config-ipsec- policy)# lifetime { seconds <SEC> |
packets <PACKETS> | kilobytes <KB> }

<SEC> – IPsec tunnel lifetime after which the re-approval is carried out. Takes values in the range of [1140..86400] seconds.

<PACKETS> – number of packets after transmitting of which the IPsec tunnel re-approval is carried out. Takes values in the range of [4..86400].

<KB> – traffic amount after transmitting of which the IPsec tunnel re-approval is carried out. Takes values in the range of [4..86400] seconds.

Default value: 28800 seconds.

32

Create IPsec VPN policy and switch to its configuration mode.

esr(config)# security ipsec vpn <NAME>

<NAME> – VPN name, set by the string of up to 31 characters.

33

Define the matching mode of data required for VPN enabling.

esr(config-ipsec-vpn)# mode <MODE>

<MODE> – VPN operation mode.

34

Bind IPsec policy to IPsec VPN.

esr(config-ipsec-vpn)# ike ipsec-policy <NAME>

<NAME> – IPsec policy name, set by the string of up to 31 characters.

35

Set the DSCP value for the use in IP headers of IKE outgoing packets (optional).

esr(config-ipsec-vpn)# ike dscp <DSCP>

<DSCP> – DSCP code value, takes values in the range of [0..63].

Default value: 63.

36

Set VPN activation mode.

esr(config-ipsec-vpn)# ike establish-tunnel <MODE>

<MODE> – VPN activation mode:

• by-request – connection is enabled by an opposing party;
• route – connection is enabled when there is traffic routed to the tunnel;
• immediate – tunnel is enabled automatically after applying the configuration.

37

Bind IKE gateway to IPsec VPN.

esr(config-ipsec-vpn)# ike gateway <NAME>

<NAME> – IKE gateway name, set by the string of up to 31 characters.

38

Set the time interval value in seconds after which the connection is closed, if no packet has been received or sent via SA (optional).

esr(config-ipsec-vpn)# ike idle-time <TIME>

<TIME> – interval in seconds, takes values of [4..86400].

39

Disable key re-approval before the IKE connection is lost due to the timeout, the number of transmitted packets or bytes (optional).

esr(config-ipsec-vpn)# ike rekey disable

40

Configure the start of IKE connection keys re-approval before the expiration of the lifetime (optional).

esr(config-ipsec-vpn)# ike rekey margin { seconds <SEC> |
packets <PACKETS> | kilobytes <KB> }

<SEC> – time interval in seconds remaining before the connection release (set by the lifetimeseconds command,  see 22.2.13). Takes values in the range of [4..86400].

<PACKETS> – number of packets remaining before the connection release (set by the lifetimepackets command). Takes values in the range of [4..86400].

<KB> – traffic volume in kilobytes remaining before the connection release (set by the lifetimekilobytes command). Takes values in the range of [4..86400].

Default value:

• Keys re-approval before the expire of time – 540 seconds before.
• Keys re-approval before the expire of traffic volume and amount of packets – disabled.

41

Set the level of margin seconds, margin packets, margin kilobytes values random spread (optional).

esr(config-ipsec-vpn)# ike rekey randomization <VALUE>

<VALUE> – maximum ratio of values spread, takes values of [1..100].

Default value: 100%

42

Specify the description for IPsec-VPN (optional).

esr(config-ipsec-vpn)# description <DESCRIPTION>

<DESCRIPTION> – profile description, set by the string of up to 255 characters.

43

Enable IPsec VPN.

esr(config-ipsec-vpn)# enable

1

Create LT tunnels for each of existing VRF.

esr(config)# tunnel lt <ID>

<ID> – tunnel identifier, set in the range of [1..128].

2

Specify the description of the configured tunnels (optional).

esr(config-lt)# description <DESCRIPTION>

<DESCRIPTION> – tunnel description, set by the string of up to 255 characters.

3

Include each LT tunnel in the corresponding VFR.

esr(config-lt)# ip vrf forwarding <VRF>

<VRF> – VRF name, set by the string of up to 31 characters.

4

Include each LT tunnel in a security zone and configure interaction rules between zones or disable firewall for LT tunnel.

esr(config-lt)# security-zone<NAME>

<NAME> – security zone name, set by the string of up to 12 characters.

esr(config-lt)# ip firewall disable

5

For each LT tunnel, set the opposite LT tunnel number (in another VRF).

esr(config-lt)# peer lt <ID>

<ID> – tunnel identifier, set in the range of [1..128].

6

For each LT tunnel, specify IP address for packets routing. For interacting LT tunnels, IP addresses should locate in one IP subnet.

esr(config-lt)# ip address <ADDR/LEN>

<ADDR/LEN> – IP address and prefix of a subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].

7

Enable the tunnels.

esr(config-lt)# enable

8

For each VRF configure required routing protocols via LT tunnel.

9

Specify the time interval during which the statistics on the tunnel load is averaged (optional).

esr(config-lt)# load-average <TIME>

<TIME> – interval in seconds, takes values of [5..150].

Default value: 5.

10

Specify the size of MTU packets that can be passed by the bridge (optional; possible if only VLAN is included in the bridge).
MTU above 1500 will be active only when using the 'system jumbo-frames' command.

esr(config-lt)# mtu <MTU>

<MTU> – MTU value, takes values in the range of:

• for ESR-10/12V(F)/14VF/15 and WLC-15 – [1280..9600];
• for ESR-20/21/30 and WLC-30 – [1280..9500];
• for ESR-100/200/1000/1200/1500/1511/1700/3100/3200 and WLC-3200 – [1280..10000].

Default value: 1500.