История страницы

...

GRE (Generic Routing Encapsulation) is a network packet tunneling protocol. Its main purpose is to encapsulate packets of the OSI model network layer into IP packets. GRE may be used for VPN establishment on 3rd level of OSI model. In ESR router/WLC controller implemented static unmanageable GRE tunnels, i.e. tunnels are created manually via configuration on local and remote hosts. Tunnel parameters for each side should be mutually agreeable, otherwise transferred data will not be decapsulated by the partner.

Configuration algorithm

Step	Description	Command	Keys
1	Configure L3 interface from which a GRE tunnel will be built.
2	Create a GRE tunnel and switch to its configuration mode.	esr(config)# tunnel gre <INDEX>	<INDEX> – tunnel identifier, set in the range of: for ESR-10/12V(F)/14VF/15 and WLC-15 – [1..10]; for ESR-20/21/30/100/200 and WLC-30 – [1..250]; for ESR-1000/1200/1500/1511/1700/3100/3200 and WLC-3200 – [1..500].
3	Specify VRF instance, in which the given GRE tunnel will operate (optional).	esr(config-gre )# ip vrf forwarding <VRF>	<VRF> – VRF name, set by the string of up to 31 characters.
4	Specify the description of the configured tunnel (optional).	esr(config-gre)# description <DESCRIPTION>	<DESCRIPTION> – tunnel description, set by the string of up to 255 characters.
5	Set local IP address for tunnel installation.	esr(config-gre)# local address <ADDR>	<ADDR> – gateway IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
5	Set local IP address for tunnel installation.	esr(config-gre)# local interface <IF>	<IF> – interface IP address of which is used for the tunnel installation.
6	Set remote IP address for tunnel installation.	esr(config-gre)# remote address <ADDR>	<ADDR> – gateway IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
7	Specify the GRE tunnel encapsulation mode.	esr(config-gre)# mode <MODE>	<MODE> – GRE tunnel encapsulation mode: ip – encapsulation of IP in GRE; ethernet – encapsulation of Ethernet frames in GRE. Default value: ip
8	Set the IP address of a tunnel local side (only in ip mode).	esr(config-gre)# ip address <ADDR/LEN>	<ADDR/LEN> – IP address and prefix of a subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32]. Up to 8 IP addresses can be specified separated by commas.

For advanced IPv4 addressing features see section IP addressing configuration.

9	Assign the broadcast domain for encapsulation in the tunnel’s GRE packets (only in ethernet mode).	esr(config-gre)# bridge-group <BRIDGE-ID>	<BRIDGE-ID> – bridge identification number, takes values in the range of: for ESR-10/12V(F)/14VF/15 and WLC-15 – [1..50]; for ESR-20/21/30/100/200 and WLC-30 – [1..250]; for ESR-1000/1200/1500/1511/1700/3100/3200 and WLC-3200 – [1..500].
10	Include the GRE tunnel in a security zone and configure interaction rules between zones or disable firewall (see section Firewall configuration).	esr(config-gre)# security-zone<NAME>	<NAME> – security zone name, set by the string of up to 12 characters.
10		esr(config-gre)# ip firewall disable
11	Specify MTU size (MaximumTransmissionUnit) for the tunnel (optional). MTU above 1500 will be active only when using the 'system jumbo-frames' command.	esr(config-gre)# mtu <MTU>	<MTU> – MTU value, takes values in the range of: for ESR-10/12V(F)/14VF/15 and WLC-15 – [1280..9600]; for ESR-20/21/30 and WLC-30 – [1280..9500]; for ESR-100/200/1000/1200/1500/1511/1700/3100/3200 and WLC-3200 – [1280..10000]. Default value: 1500.
12	Specify the TTL lifetime for tunnel packets (optional).	esr(config-gre)# ttl <TTL>	<TTL> – TTL value, takes values in the range of [1..255]. Default value: Inherited from encapsulated packet.
13	Specify DSCP for the use in IP header of encapsulated packet (optional).	esr(config-gre)# dscp <DSCP>	<DSCP> – DSCP code value, takes values in the range of [0..63]. Default value: inherited from encapsulated packet.
14	Enable key transmitting in GRE tunnel header (according to RFC 2890) and set the key value. Configured only on the both tunnel sides (optional).	esr(config-gre)# key <KEY>	<KEY> – KEY value, takes values in the range of [1..2000000]. Default value: key is not transmitted.
15	Enable the calculation of the checksum and entry it to the GRE header of the packets to be sent. Also it is necessary to enable verifying of the checksum on the remote side (optional).	esr(config-gre)# local checksum
16	Enable verification of the presence and consistency of checksum values in the headers of GRE packets being received. Also it is necessary to enable calculation of the checksum on the remote side (optional).	esr(config-gre)# remote checksum
17	Enable the check for tunnel remote gateway availability (optional).	esr(config-gre)# keepalive enable
18	Change the keepalive packets timeout from the opposing party (optional).	esr(config-gre)# keepalive timeout <TIME>	<TIME> – time in seconds, takes values of [1..32767]. Default value: 10.
19	Change the number of attempts to check the availability of a tunnel remote gateway (optional).	esr(config-gre)# keepalive retries <VALUE>	<VALUE> – number of attempts, takes values in the range of [1..255]. Default value: 5.
20	Specify the IP address for the keepalive mechanism (mandatory in ethernet mode).	esr(config-gre)# keepalive dst-address <ADDR>	<ADDR> – IP address to check GRE tunnel capability.
21	Change the time interval during which the statistics on the tunnel load is averaged (optional).	esr(config-gre)# load-average <TIME>	<TIME> – interval in seconds, takes values of [5..150]. Default value: 5.
22	Enable sending snmp-trap about tunnel enabling/disabling.	esr(config-gre)# snmp init-trap
23	Enable the mechanism of IP addresses iterative query using DHCP on the specified interfaces when the GRE tunnel is disconnected via keepalive (optional).	esr(config-gre)# keepalive dhcp dependent-interface <IF>	<IF> – physical/logical interface on which IP address obtaining via DHCP is enabled.
24	Specify the time interval between GRE tunnel disabling and IP address iterative query on the interface/interfaces specified by the keepalive dhcp dependent-interface command (optional).	esr(config-gre)# keepalive dhcp link-timeout <SEC>	<SEC> – time interval between GRE tunnel disabling and IP address requery via DHCP on the interfaces.
25	Override the MSS (Maximum segment size) field in incoming TCP packets (optional).	esr(config-gre)# ip tcp adjust-mss <MSS>	<MSS> – MSS value, takes values in the range of [500..1460]. Default value: 1460.
26	Enable recording of the current tunnel usage statistics (optional).	esr(config-gre)# history statistics
27	Enable the tunnel.	esr(config-gre)# enable
It is also possible to configure the GRE tunnel: QoS in basic or advanced mode (see section QoS management); proxy (see section HTTP/HTTPS traffic proxying); traffic monitoring (see sections Netflow configuration and sFlow configuration); routing protocols functionality (see section Routing management); BRAS functionality (see section BRAS (Broadband Remote Access Server) management).

IP-GRE tunnel configuration example

...

Pre-configure interfaces on the routers devices for connection with WAN, enable GRE packets reception from a security zone where WAN connected interfaces operate.

...

Create route to the partner's local area network on the router/controller. Specify previously created GRE tunnel as a destination interface.

...

To establish such a connection, clients (NHC) over an encrypted IPsec tunnel send their internal (tunnel) address and external (NBMA) address to the NHRP server (NHS). When a client wants to connect to another NHC, it sends a request to the server to find out its external address. Having received a response from the server, the client can now independently establish a connection to the remote branch.

Configuration algorithm

Step	Description	Command	Keys
1	Check the availability of 'external' IP addresses located on physical interfaces.
2	Prepare IPsec tunnels for use with dynamic GRE tunnels.		See section Policy-based IPsec VPN configuration.
2	Create a GRE tunnel and switch to its configuration mode.	esr(config)# tunnel gre <INDEX>	<INDEX> – tunnel identifier.
3	Switch the GRE tunnel to multipoint mode.	esr(config-gre )# multipoint
4	Set an open password for NHRP packets (optional).	esr(config-gre)# ip nhrp authentication <WORD>	<WORD> – unencrypted password, set by the string of [1..8] characters, may include [0-9a-fA-F] characters.
5	Specify the time during which a record about this client will exist on the NHS (optional).	esr(config-gre)# ip nhrp holding-time <TIME>	<TIME> – the time in seconds during which a record about this client will exist on the server takes the values [1..65535]. Default value: 7200
6	Set the 'logic (tunnel)' address of the NHRP server.	esr(config-gre)# ip nhrp nhs <ADDR> [ no-registration ]	<ADDR/LEN> – address, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32]; no-registration — do not register on the NHRP server.
7	Match the 'internal' tunnel address with the 'external' NBMA address.	esr(config-gre)# ip nhrp map <ADDR> <ADDR>	<ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
8	Define the destination of multicast traffic.	esr(config-gre)# ip nhrp multicast { dynamic \| nhs \| <ADDR> }	dynamic — send to all peers with which there is a connection; nhs — send to all static configured servers; <ADDR> – send to specifically configured server, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
9	Enable the ability to send NHRP Traffic Indication packets. Running on the NHS (optional).	esr(config-gre)# ip nhrp redirect
10	Enable the ability to create shortest routes. Running on the NHC (optional).	esr(config-gre)# ip nhrp shortcut
11	Map IPsec-VPN to the mGRE tunnel (optional).	esr(config-gre)# ip nhrp ipsec <WORD> { static \| dynamic }	<WORD> – VPN name, set by the string of up to 31 characters. static — static connection, used for connection to NHS; dynamic — dynamically established connection, configured for communication between NHC.
12	Enable group attribute transmission (optional).	esr(config-gre)# ip nhrp attribute group <WORD>
13	Enable NHRP.	esr(config-gre)# ip nhrp enable
14	Organize IP connectivity using the dynamic routing protocol.
Other settings are the same as for the static GRE tunnel (see section GRE tunnel configuration)

Configuration example 1

Objective:

...

L2TPv3 (Layer 2 Tunnelling Protocol Version 3) is a protocol used for tunneling of 2nd level OSI model packets between two IP nodes. IP or UDP is used as an encapsulation protocol. L2TPv3 may be used as an alternative to MPLS P2P L2VPN (VLL) for L2 VPN establishment. In ESR router/WLC controller implemented static unmanageable L2TPv3 tunnels, i.e. tunnels are created manually via configuration on local and remote hosts. Tunnel parameters for each side should be mutually agreeable, otherwise transferred data will not be decapsulated by the partner.

Configuration algorithm

Step	Description	Command	Keys
1	Configure L3 interface from which a L2TPv3 tunnel will be built.
2	Create a L2TPv3 tunnel and switch to its configuration mode.	esr(config)# tunnel l2tpv3 <INDEX>	<INDEX> – tunnel identifier, set in the range of: for ESR-10/12V(F)/14VF/15 and WLC-15 – [1..10]; for ESR-20/21/30/100/200 and WLC-30 – [1..250]; for ESR-1000/1200/1500/1511/1700/3100/3200 and WLC-3200 – [1..500].
3	Specify the description of the configured tunnel (optional).	esr(config-l2tpv3)# description <DESCRIPTION>	<DESCRIPTION> – tunnel description, set by the string of up to 255 characters.
4	Set local IP address for tunnel installation.	esr(config-l2tpv3)# local address <ADDR>	<ADDR> – gateway IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
5	Set remote IP address for tunnel installation.	esr(config-l2tpv3)# remote address <ADDR>	<ADDR> – gateway IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
6	Select encapsulation method for L2TPv3 tunnel.	esr(config-l2tpv3)# protocol <TYPE>	<TYPE> – encapsulation type, possible values: ip – encapsulation in an IP packet; udp – encapsulation in UDP datagrams.
7	Set local session identifier.	esr(config-l2tpv3)# local session-id <SESSION-ID>	<SESSION-ID> – session identifier, takes values in the range of [1..200000].
8	Set remote session identifier.	esr(config-l2tpv3)# remote session-id <SESSION-ID>	<SESSION-ID> – session identifier, takes values in the range of [1..200000].
9	Define local UDP port (if UDP was selected as encapsulation method).	esr(config-l2tpv3)# local port <UDP>	<UDP> – UDP port number in the range of [1..65535].
10	Define remote UDP port (if UDP was selected as encapsulation method).	esr(config-l2tpv3)# remote port <UDP>	<UDP> – UDP port number in the range of [1..65535].
11	Assign the broadcast domain for encapsulation in the tunnel’s L2TPV3 packets.	esr(config-l2tpv3)# bridge-group <BRIDGE-ID>	<BRIDGE-ID> – bridge identification number, takes values in the range of: for ESR-10/12V(F)/14VF/15 and WLC-15 – [1..50]; for ESR-20/21/30/100/200 and WLC-30 – [1..250]; for ESR-1000/1200/1500/1511/1700/3100/3200 and WLC-3200 – [1..500].
12	Enable the tunnel.	esr(config-l2tpv3)# enable
13	Specify MTU size (MaximumTransmissionUnit) for the tunnels (optional). MTU above 1500 will be active only when using the 'system jumbo-frames' command.	esr(config-l2tpv3)# mtu <MTU>	<MTU> – MTU value, takes values in the range of: for ESR-10/12V(F)/14VF/15 and WLC-15 – [1280..9600]; for ESR-20/21/30 and WLC-30 – [1280..9500]; for ESR-100/200/1000/1200/1500/1511/1700/3100/3200 and WLC-3200 – [1280..10000]. Default value: 1500.
14	Define the local cookie value to check the conformance of data being transmitted and session (optional).	esr(config-l2tpv3)# local cookie <COOKIE>	<COOKIE> – COOKIE value, the parameter takes values of 8 or 16 characters in hexadecimal form.
15	Define the remote cookie value to check the conformance of data being transmitted and session (optional).	esr(config-l2tpv3)# remote cookie <COOKIE>	<COOKIE> – COOKIE value, the parameter takes values of 8 or 16 characters in hexadecimal form.
16	Specify the time interval during which the statistics on the tunnel load is averaged (optional).	esr(config-l2tpv3)# load-average <TIME>	<TIME> – interval in seconds, takes values of [5..150]. Default value: 5.
17	Enable recording of the current tunnel usage statistics (optional).	esr(config-subif)# history statistics
It is also possible to configure the L2TPv3 tunnel: QoS in basic or advanced mode (see section QoS management); BRAS functionality (see section BRAS (Broadband Remote Access Server) management).

L2TPv3 tunnel configuration example

...

Define the inherence of L2TPv3 tunnel to a bridge that should be mapped to remote office network (for bridge configuration, see Section section Configuration example of bridge for VLAN and L2TPv3 tunnel):

...

Define the inherence of sub-interface to a bridge that should be mapped to LAN (for bridge configuration, see Section section Configuration of PPP via E1):

...

Примечание
In addition to tunnel creation, enable UDP inbound traffic in the firewall with source port 519 and destination port 519.

Scroll Pagebreak

IPsec VPN configuration

IPsec is a set of protocols that enable security features for data transferred via IP protocol. This set of protocols allows for identity validation (authentication), IP packet integrity check and encryption, and also includes protocols for secure key exchange over the Internet.

Route-based IPsec VPN configuration algorithm

Step	Description	Command	Keys
1	Create a VTI tunnel and switch to its configuration mode.	esr(config)# tunnel vti <TUN>	<TUN> – device tunnel name.
2	Specify the local IP address of the VTI tunnel.	esr(config-vti)#local address <ADDR>	<ADDR> – IP address of a local gateway.
3	Specify the remote IP address of the VTI tunnel.	esr(config-vti)#remote address <ADDR>	<ADDR> – IP address of a remote gateway.
4	Specify the IP address of the VTI tunnel local side.	esr(config-vti)# ip address <ADDR/LEN>	<ADDR/LEN> – IP address and prefix of a subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].
5	Include the VTI tunnel in a security zone and configure interaction rules between zones or disable firewall for VTI tunnel.	esr(config-vti)# security-zone<NAME>	<NAME> – security zone name, set by the string of up to 12 characters.
5		esr(config-vti)# ip firewall disable
6	Enable the tunnel.	esr(config-vti)#enable
7	Create an IKE profile and switch to its configuration mode.	esr(config)# security ike proposal <NAME>	<NAME> – IKE protocol name, set by the string of up to 31 characters.
8	Specify the description of the configured IKE profile (optional).	esr(config-ike-proposal)# description<DESCRIPTION>	<DESCRIPTION> – tunnel description, set by the string of up to 255 characters.
9	Specify IKE authentication algorithm (optional).	esr(config-ike-proposal)# authentication algorithm <ALGORITHM>	<ALGORITHM> – authentication algorithm, takes values of: md5, sha1, sha2-256, sha2‑384, sha2-512. Default value: sha1.
10	Specify IKE encryption algorithm (optional).	esr(config-ike-proposal)# encryption algorithm <ALGORITHM>	<ALGORITHM> – encryption protocol, takes the following values: des, 3des, blowfish128, blowfish192, blowfish256, aes128, aes192, aes256, aes128ctr, aes192ctr, aes256ctr, camellia128, camellia192, camellia256. Default value: 3des.
11	Define Diffie-Hellman group number (optional).	esr(config-ike-proposal)# dh-group <DH-GROUP>	<DH-GROUP> – Diffie-Hellman group number, takes values of [1, 2, 5, 14, 15, 16, 17, 18]. Default value: 1.
12	Specify IKE authentication mode (optional)	esr(config-ike-proposal)# authentication method <METHOD>	<METHOD> – key authentication method. May take the following values: pre-shared-key – authentication method using pre-received encryption keys; rsa-public-key – authentication method using RSA certificate. Default value: pre-shared-key.
13	Create an IKE policy and switch to its configuration mode.	esr(config)# security ike policy <NAME>	<NAME> – IKE policy name, set by the string of up to 31 characters.
14	Specify the lifetime of IKE protocol connection (optional).	esr(config-ike-proposal)# lifetime seconds <SEC>	<SEC> – time interval, takes values of [4..86400] seconds. Default value: 3600.
15	Bind IKE profile to IKE policy.	esr(config-ike-policy)# proposal <NAME>	<NAME> – IKE protocol name, set by the string of up to 31 characters.
16	Specify authentication key (mandatory if pre-shared-key is selected as authentication mode)	esr(config-ike-policy)# pre-shared-key ascii-text<TEXT>	<TEXT> – string [1..64] ASCII characters.
17	Create an IKE gateway and switch to its configuration mode.	esr(config)# security ike gateway <NAME>	<NAME> – IKE protocol gateway name, set by the string of up to 31 characters.
18	Bind IKE policy to IKE gateway.	esr(config-ike-gw)# ike-policy <NAME>	<NAME> – IKE protocol policy name, set by the string of up to 31 characters.
19	Specify IKE version (optional).	esr(config-ike-gw)# version <VERSION>	<version> – IKE protocol version: v1-only or v2-only. Default value: v1-only.
20	Set the route-based mode.	esr(config-ike-gw)# mode route-based
21	Specify the action for DPD (optional).	esr(config-ike-gw)# dead-peer-detection action <MODE>	<MODE> – DPD operation mode: restart – connection restarts; clear – conection stops; hold – connection holds; none – the mechanism is disabled, no action is taken. Default value: none.
22	Specify the interval between sending messages via DPD mechanism (optional).	esr(config-ike-gw)# dead-peer-detection interval <SEC>	<SEC> – interval between sending messages via DPD mechanism, takes values of [1..180] seconds. Default value: 2.
23	Specify the time period of response to DPD mechanism messages (optional).	esr(config-ike-gw)# dead-peer-detection timeout <SEC>	<SEC> – time interval of response to DPD mechanism messages, takes values of [1..180] seconds. Default value: 30 seconds.
24	Bind VTI tunnel to IKE gateway.	esr(config-ike-gw)# bind-interface vti <VTI>	<VTI> – VTI ID.
25	Create IPsec profile.	esr(config)# security ipsec proposal <NAME>	<NAME> – IPsec protocol profile name, set by the string of up to 31 characters.
26	Specify IPsec authentication algorithm (optional).	esr(config-ipsec-proposal)# authentication algorithm <ALGORITHM>	<ALGORITHM> – authentication algorithm, takes values of: md5, sha1, sha2-256, sha2‑384, sha2-512. Default value: sha1.
27	Specify IPsec encryption algorithm (route).	esr(config-ipsec-proposal)# encryption algorithm <ALGORITHM>	<ALGORITHM> – encryption protocol, takes the following values: des, 3des, blowfish128, blowfish192, blowfish256, aes128, aes192, aes256, aes128ctr, aes192ctr, aes256ctr, camellia128, camellia192, camellia256. Default value: 3des.
28	Specify encapsulation protocol for IPsec (optional).	esr(config-ipsec-proposal)# protocol <PROTOCOL>	<PROTOCOL> – encapsulation protocol, takes the following values: Default value: esp.
29	Create an IPsec policy and switch to its configuration mode.	esr(config)# security ipsec policy <NAME>	<NAME> – IPsec policy name, set by the string of up to 31 characters.
30	Bind IPsec profile to IPsec policy.	esr(config-ipsec-policy)# proposal <NAME>	<NAME> – IPsec protocol profile name, set by the string of up to 31 characters.
31	Specify the lifetime of IPsec tunnel (optional).	esr(config-ipsec- policy)# lifetime { seconds <SEC> \| packets <PACKETS> \| kilobytes <KB> }	<SEC> – IPsec tunnel lifetime after which the re-approval is carried out. Takes values in the range of [1140..86400] seconds. <PACKETS> – number of packets after transmitting of which the IPsec tunnel re-approval is carried out. Takes values in the range of [4..86400]. <KB> – traffic amount after transmitting of which the IPsec tunnel re-approval is carried out. Takes values in the range of [4..86400] seconds. Default value: 28800 seconds.
32	Create IPsec VPN policy and switch to its configuration mode.	esr(config)# security ipsec vpn <NAME>	<NAME> – VPN name, set by the string of up to 31 characters.
33	Define the matching mode of data required for VPN enabling.	esr(config-ipsec-vpn)# mode <MODE>	<MODE> – VPN operation mode.
34	Bind IPsec policy to IPsec VPN.	esr(config-ipsec-vpn)# ike ipsec-policy <NAME>	<NAME> – IPsec policy name, set by the string of up to 31 characters.
35	Set the DSCP value for the use in IP headers of IKE outgoing packets (optional).	esr(config-ipsec-vpn)# ike dscp <DSCP>	<DSCP> – DSCP code value, takes values in the range of [0..63]. Default value: 63.
36	Set VPN activation mode.	esr(config-ipsec-vpn)# ike establish-tunnel <MODE>	<MODE> – VPN activation mode: by-request – connection is enabled by an opposing party; route – connection is enabled when there is traffic routed to the tunnel; immediate – tunnel is enabled automatically after applying the configuration.
37	Bind IKE gateway to IPsec VPN.	esr(config-ipsec-vpn)# ike gateway <NAME>	<NAME> – IKE gateway name, set by the string of up to 31 characters.
38	Set the time interval value in seconds after which the connection is closed, if no packet has been received or sent via SA (optional).	esr(config-ipsec-vpn)# ike idle-time <TIME>	<TIME> – interval in seconds, takes values of [4..86400].
39	Disable key re-approval before the IKE connection is lost due to the timeout, the number of transmitted packets or bytes (optional).	esr(config-ipsec-vpn)# ike rekey disable
40	Configure the start of IKE connection keys re-approval before the expiration of the lifetime (optional).	esr(config-ipsec-vpn)# ike rekey margin { seconds <SEC> \| packets <PACKETS> \| kilobytes <KB> }	<SEC> – time interval in seconds remaining before the connection release (set by the lifetimeseconds command, see 22.2.13). Takes values in the range of [4..86400]. <PACKETS> – number of packets remaining before the connection release (set by the lifetimepackets command). Takes values in the range of [4..86400]. <KB> – traffic volume in kilobytes remaining before the connection release (set by the lifetimekilobytes command). Takes values in the range of [4..86400]. Default value: Keys re-approval before the expire of time – 540 seconds before. Keys re-approval before the expire of traffic volume and amount of packets – disabled.
41	Set the level of margin seconds, margin packets, margin kilobytes values random spread (optional).	esr(config-ipsec-vpn)# ike rekey randomization <VALUE>	<VALUE> – maximum ratio of values spread, takes values of [1..100]. Default value: 100%
42	Specify the description for IPsec-VPN (optional).	esr(config-ipsec-vpn)# description <DESCRIPTION>	<DESCRIPTION> – profile description, set by the string of up to 255 characters.
43	Enable IPsec VPN.	esr(config-ipsec-vpn)# enable

Scroll Pagebreak

Route-based IPsec VPN configuration example

...

Policy-based IPsec VPN configuration algorithm

Step	Description	Command	Keys
1	Create an IKE instance and switch to its configuration mode.	esr(config)# security ike proposal <NAME>	<NAME> – IKE protocol name, set by the string of up to 31 characters.
2	Specify the description of the configured tunnel (optional).	esr(config-ike-proposal)# description<DESCRIPTION>	<DESCRIPTION> – tunnel description, set by the string of up to 255 characters.
3	Specify IKE authentication algorithm.	esr(config-ike-proposal)# authentication algorithm <ALGORITHM>	<ALGORITHM> – authentication algorithm, takes values of: md5, sha1, sha2-256, sha2‑384, sha2-512.
4	Specify IKE encryption algorithm.	esr(config-ike-proposal)# encryption algorithm <ALGORITHM>	<ALGORITHM> – encryption protocol, takes the following values: des, 3des, blowfish128, blowfish192, blowfish256, aes128, aes192, aes256, aes128ctr, aes192ctr, aes256ctr, camellia128, camellia192, camellia256.
5	Define Diffie-Hellman group number.	esr(config-ike-proposal)# dh-group <DH-GROUP>	<DH-GROUP> – Diffie-Hellman group number, takes values of [1, 2, 5, 14, 15, 16, 17, 18].
6	Specify the authentication mode.	esr(config-ike-proposal)# authentication method <METHOD>	<METHOD> – key authentication method. May take the following values: pre-shared-key – authentication method using pre-received encryption keys; rsa-public-key – authentication method using RSA certificate.
7	Create an IKE profile policy and switch to its configuration mode.	esr(config)# security ike policy <NAME>	<NAME> – IKE policy name, set by the string of up to 31 characters.
8	Specify the lifetime of IKE protocol connection (optional).	esr(config-ike-proposal)# lifetime seconds <SEC>	<SEC> – time interval, takes values of [4..86400] seconds.
9	Bind the policy to profile.	esr(config-ike-policy)# proposal <NAME>	<NAME> – IKE protocol name, set by the string of up to 31 characters.
10	Specify authentication key.	esr(config-ike-policy)#pre-shared-key ascii-text<TEXT>	<TEXT> – string [1..64] ASCII characters.
11	Create an IKE gateway and switch to its configuration mode.	esr(config)# security ike gateway <NAME>	<NAME> – IKE protocol gateway name, set by the string of up to 31 characters.
12	Bind IKE policy.	esr(config-ike-gw)# ike-policy <NAME>	<NAME> – IKE protocol policy name, set by the string of up to 31 characters.
13	Specify IKE version (optional).	esr(config-ike-gw)# version <VERSION>	<version> – IKE protocol version: v1-only or v2-only.
14	Set the mode of traffic redirection into the tunnel.	esr(config-ike-gw)#mode<MODE>	<MODE> – mode of traffic redirection into the tunnel, takes the following values: policy-based — traffic is redirected based on the subnets specified in the policies; route-based — traffic is redirected based on routes whose gateway is a tunnel interface.
15	Specify the action for DPD (optional).	esr(config-ike-gw)# dead-peer-detection action <MODE>	<MODE> – DPD operation mode: restart – connection restarts; clear – conection stops; hold – connection holds; none – the mechanism is disabled, no action is taken.
16	Specify the interval between sending messages via DPD mechanism (optional).	esr(config-ike-gw)#dead-peer-detection interval <SEC>	<SEC> – interval between sending messages via DPD mechanism, takes values of [1..180] seconds.
17	Specify the time period of response to DPD mechanism messages (optional).	esr(config-ike-gw)# dead-peer-detection timeout <SEC>	<SEC> – time interval of response to DPD mechanism messages, takes values of [1..180] seconds.
18	Specify IKE version (optional).	esr(config-ike-gw)# version <VERSION>	<version> – IKE protocol version: v1-only or v2-only.
19	Set sender’s IP subnets.	esr(config-ike-gw)# local network <ADDR/LEN> [ protocol { <TYPE> \| <ID> } [ port <PORT> ] ]	<ADDR/LEN> – subnet IP address and mask of a sender. The parameter is defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32]. <TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre; <ID> – IP identification number, takes values of [0x00-0xFF]; <PORT> – TCP/UDP port, takes values of [1..65535].
20	Specify the IP address of IPsec tunnel local gateway.	esr(config-ike-gw)#local address <ADDR>	<ADDR> – IP address of a local gateway.
21	Specify the IP address of IPsec tunnel remote gateway.	esr(config-ike-gw)#remote address <ADDR>	<ADDR> – IP address of a remote gateway.
22	Set recipient’s subnet IP address as well as IP and port.	esr(config-ike-gw)# remote network <ADDR/LEN> [ protocol { <TYPE> \| <ID> } [ port <PORT> ] ]	<ADDR/LEN> – subnet IP address and mask of a sender. The parameter is defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32]. <TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre; <ID> – IP identification number, takes values of [0x00-0xFF]; <PORT> – TCP/UDP port, takes values of [1..65535].
23	Create IPsec profile.	esr(config)# security ipsec proposal <NAME>	<NAME> – IPsec protocol profile name, set by the string of up to 31 characters.
24	Specify IPsec authentication algorithm.	esr(config-ipsec-proposal)# authentication algorithm <ALGORITHM>	<ALGORITHM> – authentication algorithm, takes values of: md5, sha1, sha2-256, sha2‑384, sha2-512.
26	Specify IPsec encryption algorithm.	esr(config-ipsec-proposal)# encryption algorithm <ALGORITHM>	<ALGORITHM> – encryption protocol, takes the following values: des, 3des, blowfish128, blowfish192, blowfish256, aes128, aes192, aes256, aes128ctr, aes192ctr, aes256ctr, camellia128, camellia192, camellia256.
26	Specify protocol (optional).	esr(config-ipsec-proposal)#protocol <PROTOCOL>	<PROTOCOL> – encapsulation protocol, takes the following values:
27	Create an IPsec profile policy and switch to its configuration mode.	esr(config)# security ipsec policy <NAME>	<NAME> – IPsec policy name, set by the string of up to 31 characters.
28	Bind the policy to profile.	esr(config-ipsec-policy)# proposal <NAME>	<NAME> – IPsec protocol profile name, set by the string of up to 31 characters.
29	Specify the lifetime of IPsec tunnel (optional).	esr(config-ipsec-policy)# lifetime { seconds <SEC> \| packets <PACKETS> \| kilobytes <KB> }	<SEC> – IPsec tunnel lifetime after which the re-approval is carried out. Takes values in the range of [1140..86400] seconds. <PACKETS> – number of packets after transmitting of which the IPsec tunnel re-approval is carried out. Takes values in the range of [4..86400]. <KB> – traffic amount after transmitting of which the IPsec tunnel re-approval is carried out. Takes values in the range of [4..86400] seconds.
30	Create IPsec VPN policy and switch to its configuration mode.	esr(config)# security ipsecvpn <NAME>	<NAME> – VPN name, set by the string of up to 31 characters.
31	Define the matching mode of data required for VPN enabling.	esr(config-ipsec-vpn)# mode <MODE>	<MODE> – VPN operation mode.
32	Bind IPsec policy to VPN.	esr(config-ipsec-vpn)#ike ipsec-policy <NAME>	<NAME> – IPsec policy name, set by the string of up to 31 characters.
33	Set the DSCP value for the use in IP headers of IKE outgoing packets (optional).	esr(config-ipsec-vpn)#ike dscp <DSCP>	<DSCP> – DSCP code value, takes values in the range of [0..63].
34	Set VPN activation mode.	esr(config-ipsec-vpn)#ike establish-tunnel <MODE>	<MODE> – VPN activation mode: by-request – connection is enabled by an opposing party; route – connection is enabled when there is traffic routed to the tunnel; immediate – tunnel is enabled automatically after applying the configuration.
35	Bind IKE gateway to VPN.	esr(config-ipsec-vpn)# ike gateway <NAME>	<NAME> – IKE gateway name, set by the string of up to 31 characters.
36	Set the time interval value in seconds after which the connection is closed, if no packet has been received or sent via SA (optional).	esr(config-ipsec-vpn)# ike idle-time <TIME>	<TIME> – interval in seconds, takes values of [4..86400].
37	Disable key re-approval before the IKE connection is lost due to the timeout, the number of transmitted packets or bytes (optional).	esr(config-ipsec-vpn)# ike rekey disable
38	Configure the start of IKE connection keys re-approval before the expiration of the lifetime (optional).	esr(config-ipsec-vpn)# ike rekey margin { seconds <SEC> \| packets <PACKETS> \| kilobytes <KB> }	<SEC> – time interval in seconds remaining before the connection release (set by the lifetimeseconds command). Takes values in the range of [4..86400]. <PACKETS> – number of packets remaining before the connection release (set by the lifetimepackets command). Takes values in the range of [4..86400]. <KB> – traffic volume in kilobytes remaining before the connection release (set by the lifetimekilobytes command). Takes values in the range of [4..86400].
39	Set the level of margin seconds, margin packets, margin kilobytes values random spread (optional).	esr(config-ipsec-vpn)# ike rekey randomization <VALUE>	<VALUE> – maximum ratio of values spread, takes values of [1..100].
40	Describe VPN (optional).	esr(config-ipsec-vpn)# description <DESCRIPTION>	<DESCRIPTION> – profile description, set by the string of up to 255 characters.
41	Enable IPsec VPN.	esr(config-ipsec-vpn)# enable

Policy-based IPsec VPN configuration example

...

R2 IP address – 203.0.113.1.

Scroll Pagebreak

IKE:

Diffie-Hellman group: 2;
encryption algorithm: AES 128 bit;
authentication algorithm: MD5.

...

An additional feature of RA IPsec VPN is the ability to use the second IPsec authentication factor – Extended Authentication (XAUTH), where the second authentication factor is the login-password pair for the IPsec VPN client.

Step	Description	Command	Keys
1	Create an IKE instance and switch to its configuration mode.	esr(config)# security ike proposal <NAME>	<NAME> – IKE protocol name, set by the string of up to 31 characters.
2	Specify the description of the configured tunnel (optional).	esr(config-ike-proposal)# description <DESCRIPTION>	<DESCRIPTION> – tunnel description, set by the string of up to 255 characters.
3	Specify IKE authentication algorithm (optional).	esr(config-ike-proposal)# authentication algorithm <ALGORITHM>	<ALGORITHM> – authentication algorithm, takes values of: md5, sha1, sha2-256, sha2‑384, sha2-512. Default value: sha1
4	Specify the IP address of the VTI tunnel local side (optional).	esr(config-vti)# ip address <ADDR/LEN>	<ADDR/LEN> – IP address and prefix of a subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..31].
5	Define Diffie-Hellman group number (optional).	esr(config-ike-proposal)# dh-group <DH-GROUP>	<DH-GROUP> – Diffie-Hellman group number, takes values of [1, 2, 5, 14, 15, 16, 17, 18]. Default value: 1
6	Create an IKE profile policy and switch to its configuration mode.	esr(config)# security ike policy <NAME>	<NAME> – IKE policy name, set by the string of up to 31 characters.
7	Specify the authentication mode.	esr(config-ike- policy)# authentication method <METHOD>	<METHOD> – key authentication method. May take the following values: xauth-psk-key – two-factor authentication method using a login-password pair and previously obtained encryption keys.
8	Set the client mode (only for client).	esr(config-ike- policy)# authentication mode client
9	Specify the lifetime of IKE protocol connection (optional).	esr(config-ike- policy)# lifetime seconds <SEC>	<SEC> – time interval, takes values of [4..86400] seconds. Default value: 3600
10	Bind the policy to profile.	esr(config-ike-policy)# proposal <NAME>	<NAME> – IKE protocol name, set by the string of up to 31 characters.
11	Specify authentication key.	esr(config-ike-policy)#pre-shared-key ascii-text <TEXT>	<TEXT> – string [1..64] ASCII characters.
12	Create an access profile.	esr(config)# access profile <NAME>	<NAME> – access profile name, set by the string of up to 31 characters.
13	Create user name.	esr(config-access-profile)# user <LOGIN>	<LOGIN> – login for client, set by the string of up to 31 characters.
14	Specify a password for a user.	esr(config-profile)# password ascii-text <TEXT>	<TEXT> – string [8..32] ASCII characters.
15	Create a destination address pool (only for server).	esr(config)# address-assignment pool <NAME>	<NAME> – destination addresses pool name, set by the string of up to 31 characters.
16	Set the subnet from which IP clients will be issued (only for server).	esr(config-pool)# ip prefix <ADDR/LEN>	<ADDR/LEN> – address and prefix of the subnet.
17	Create an IKE gateway and switch to its configuration mode.	esr(config)# security ike gateway <NAME>	<NAME> – IKE protocol gateway name, set by the string of up to 31 characters.
18	Bind IKE policy.	esr(config-ike-gw)# ike-policy <NAME>	<NAME> – IKE protocol policy name, set by the string of up to 31 characters.
19	Set the mode of traffic redirection into the tunnel.	esr(config-ike-gw)# mode <MODE>	<MODE> – mode of traffic redirection into the tunnel, takes the following values: policy-based — traffic is redirected based on the subnets specified in the policies.
20	Specify the action for DPD (optional).	esr(config-ike-gw)# dead-peer-detection action <MODE>	<MODE> – DPD operation mode: restart – connection restarts; clear – conection stops; hold – connection holds; none – the mechanism is disabled, no action is taken. Default value: none
21	Specify the interval between sending messages via DPD mechanism (optional).	esr(config-ike-gw)#dead-peer-detection interval <SEC>	<SEC> – interval between sending messages via DPD mechanism, takes values of [1..180] seconds. Default value: 2
22	Specify the time period of response to DPD mechanism messages (optional).	esr(config-ike-gw)# dead-peer-detection timeout <SEC>	<SEC> – time interval of response to DPD mechanism messages, takes values of [1..180] seconds. Default value: 30
23	Specify IKE version (optional).	esr(config-ike-gw)# version <VERSION>	<version> – IKE protocol version: v1-only or v2-only. Default value: v1-only
24	Set the IP subnet of the source (only for server).	esr(config-ike-gw)# local network <ADDR/LEN> [ protocol { <TYPE> \| <ID> } [ port <PORT> ] ]	<ADDR/LEN> – subnet IP address and mask of a sender. The parameter is defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32]. <TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre; <ID> – IP identification number, takes values of [0x00-0xFF]; <PORT> – TCP/UDP port, takes values of [1..65535].
25	Specify the IP address of IPsec tunnel local gateway.	esr(config-ike-gw)#local address <ADDR>	<ADDR> – IP address of a local gateway.
26	Specify the IP address of IPsec tunnel remote gateway.	esr(config-ike-gw)#remote address [any \| <ADDR/LEN> [ protocol { <TYPE> \| <ID> } [ port <PORT> ] ]	Any – set as a remote address – any client address in the server configuration; <ADDR/LEN> – IP address and subnet mask of the server, in client configuration.
27	Set the pool for dynamic allocation of IP addresses to clients (only for server).	esr(config-ike-gw)# remote network dynamic pool <NAME>	<NAME> – destination addresses pool name, set by the string of up to 31 characters.
28	Set the dynamic establishment mode of the remote subnet (only for client).	esr(config-ike-gw)# remote network dynamic client
29	Set access profile for XAUTH parameters (only for server).	esr(config-ike-gw)# xauth access-profile <NAME>	<NAME> – access profile name, set by the string of up to 31 characters.
30	Set access profile and login for XAUTH parameters (only for client).	esr(config-ike-gw)# xauth access-profile <NAME> client <LOGIN>	<NAME> – access profile name, set by the string of up to 31 characters; <LOGIN> – login for client, set by the string of up to 31 characters.
31	Define a dedicated IP termination interface for building IPsec VPN (only for client).	esr(config-ike-gw)# assign-interface loopback <INDEX>	<INDEX> – interface index, takes values of [1..65535].
32	Create IPsec profile.	esr(config)# security ipsec proposal <NAME>	<NAME> – IPsec protocol profile name, set by the string of up to 31 characters.
33	Specify IPsec authentication algorithm (optional).	esr(config-ipsec-proposal)# authentication algorithm <ALGORITHM>	<ALGORITHM> – authentication algorithm, takes values of: md5, sha1, sha2-256, sha2‑384, sha2-512. Default value: sha1
34	Specify IPsec encryption algorithm (optional).	esr(config-ipsec-proposal)# encryption algorithm <ALGORITHM>	<ALGORITHM> – encryption protocol, takes the following values: des, 3des, blowfish128, blowfish192, blowfish256, aes128, aes192, aes256, aes128ctr, aes192ctr, aes256ctr, camellia128, camellia192, camellia256. Default value: 3des
35	Specify protocol (optional).	esr(config-ipsec-proposal)#protocol <PROTOCOL>	<PROTOCOL> – encapsulation protocol, takes the following values: ah – this protocol performs only traffic authentication, data encryption is not performed; esp – this protocol authenticates and encrypts traffic. Default value: esp
36	Configuration config-ipsec-proposal	esr(config)# security ipsec policy <NAME>	<NAME> – IPsec policy name, set by the string of up to 31 characters.
37	Bind the policy to profile.	esr(config-ipsec-policy)# proposal <NAME>	<NAME> – IPsec protocol profile name, set by the string of up to 31 characters.
38	Specify the lifetime of IPsec tunnel (optional).	esr(config-ipsec-policy)# lifetime { seconds <SEC> \| packets <PACKETS> \| kilobytes <KB> }	<SEC> – IPsec tunnel lifetime after which the re-approval is carried out. Takes values in the range of [1140..86400] seconds. Default value: 540 <PACKETS> – number of packets after transmitting of which the IPsec tunnel re-approval is carried out. Takes values in the range of [4..86400]. Default value: disabled. <KB> – traffic amount after transmitting of which the IPsec tunnel re-approval is carried out. Takes values in the range of [4..86400] seconds. Default value: disabled.
39	Create IPsec VPN policy and switch to its configuration mode.	esr(config)# security ipsec vpn <NAME>	<NAME> – VPN name, set by the string of up to 31 characters.
40	Define the matching mode of data required for VPN enabling.	esr(config-ipsec-vpn)# mode <MODE>	<MODE> – VPN operation mode, takes the following values: ike, manual.
41	Bind IPsec policy to VPN.	esr(config-ipsec-vpn)#ike ipsec-policy <NAME>	<NAME> – IPsec policy name, set by the string of up to 31 characters.
42	Set the DSCP value for the use in IP headers of IKE outgoing packets (optional).	esr(config-ipsec-vpn)#ike dscp <DSCP>	<DSCP> – DSCP code value, takes values in the range of [0..63]. Default value: 63
43	Set VPN activation mode.	esr(config-ipsec-vpn)#ike establish-tunnel <MODE>	<MODE> – VPN activation mode: by-request – connection is activated by the opposite side, available for the server; route – the connection is activated when traffic routed to the tunnel appears; it is available for the server; immediate – tunnel is enabled automatically after applying the configuration, it is available for the client;
44	Bind IKE gateway to VPN.	esr(config-ipsec-vpn)# ike gateway <NAME>	<NAME> – IKE gateway name, set by the string of up to 31 characters.
45	Set the time interval value in seconds after which the connection is closed, if no packet has been received or sent via SA (optional).	esr(config-ipsec-vpn)# ike idle-time <TIME>	<TIME> – interval in seconds, takes values of [4..86400]. Default value: 0
46	Disable key re-approval before the IKE connection is lost due to the timeout, the number of transmitted packets or bytes (optional).	esr(config-ipsec-vpn)# ike rekey disable	Default value: disabled.
47	Configure the start of IKE connection keys re-approval before the expiration of the lifetime (optional).	esr(config-ipsec-vpn)# ike rekey margin { seconds <SEC> \| packets <PACKETS> \| kilobytes <KB> }	<SEC> – time interval in seconds remaining before the connection release (set by the lifetimeseconds command). Takes values in the range of [4..86400]. Default value: 540 <PACKETS> – number of packets remaining before the connection release (set by the lifetimepackets command). Takes values in the range of [4..86400]. Default value: disabled. <KB> – traffic volume in kilobytes remaining before the connection release (set by the lifetimekilobytes command). May take values [4..86400] Default value: disabled.
48	Set the level of margin seconds, margin packets, margin kilobytes values random spread (optional).	esr(config-ipsec-vpn)# ike rekey randomization <VALUE>	<VALUE> – maximum ratio of values spread, takes values of [1..100]. Default value: 100
49	Describe VPN (route).	esr(config-ipsec-vpn)# description <DESCRIPTION>	<DESCRIPTION> – profile description, set by the string of up to 255 characters.
50	Enable IPsec VPN.	esr(config-ipsec-vpn)# enable
51	Enable XAUTH clients reconnection mode with one login/password (server only) (optional).	esr(config-ipsec-vpn)# security ike session uniqueids <MODE>	<MODE> – reconnect mode, may take the following values: no – established XAUTH connection will be deleted if an «INITIAL_CONTACT» notification is sent for a new XAUTH connection by the initiator of the connection, the previously used IP address will be assigned. Otherwise, the established XAUTH connection will be withheld. A new IP address will be assigned to the new XAUTH connection. never – established XAUTH connection will be withheld. A new IP address will be assigned to the new XAUTH connection. The «INITIAL_CONTACT» notification will be ignored anyway. replace – established XAUTH connection will be deleted. The previously used IP address will be used for the new XAUTH connection. keep – established XAUTH connection will be withheld. A new XAUTH connection will be rejected.

Remote Access IPsec VPN configuration example

...

Configure Remote Access IPsec VPN between R1 and R2 using the second IPsec authentication factor, XAUTH. Configure router device R1 as the IPsec VPN server, and router device R2 as the IPsec VPN client.

...

LT (Logical Tunnel) is a type of tunnels dedicated for transmission of routing information and traffic between different virtual routers devices (VRF) configured on a routerdevices. LT tunnel might be used for organization of interaction between two or more VRF using firewall restrictions.

Configuration algorithm

Step	Description	Command	Keys
1	Create LT tunnels for each of existing VRF.	esr(config)# tunnel lt <ID>	<ID> – tunnel identifier, set in the range of [1..128].
2	Specify the description of the configured tunnels (optional).	esr(config-lt)# description <DESCRIPTION>	<DESCRIPTION> – tunnel description, set by the string of up to 255 characters.
3	Include each LT tunnel in the corresponding VFR.	esr(config-lt)# ip vrf forwarding <VRF>	<VRF> – VRF name, set by the string of up to 31 characters.
4	Include each LT tunnel in a security zone and configure interaction rules between zones or disable firewall for LT tunnel.	esr(config-lt)# security-zone<NAME>	<NAME> – security zone name, set by the string of up to 12 characters.
4		esr(config-lt)# ip firewall disable
5	For each LT tunnel, set the opposite LT tunnel number (in another VRF).	esr(config-lt)# peer lt <ID>	<ID> – tunnel identifier, set in the range of [1..128].
6	For each LT tunnel, specify IP address for packets routing. For interacting LT tunnels, IP addresses should locate in one IP subnet.	esr(config-lt)# ip address <ADDR/LEN>	<ADDR/LEN> – IP address and prefix of a subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].
7	Enable the tunnels.	esr(config-lt)# enable
8	For each VRF configure required routing protocols via LT tunnel.
9	Specify the time interval during which the statistics on the tunnel load is averaged (optional).	esr(config-lt)# load-average <TIME>	<TIME> – interval in seconds, takes values of [5..150]. Default value: 5.
10	Specify the size of MTU packets that can be passed by the bridge (optional; possible if only VLAN is included in the bridge). MTU above 1500 will be active only when using the 'system jumbo-frames' command.	esr(config-lt)# mtu <MTU>	<MTU> – MTU value, takes values in the range of: for ESR-10/12V(F)/14VF/15 and WLC-15 – [1280..9600]; for ESR-20/21/30 and WLC-30 – [1280..9500]; for ESR-100/200/1000/1200/1500/1511/1700/3100/3200 and WLC-3200 – [1280..10000]. Default value: 1500.

Scroll Pagebreak

Configuration example

...

Дерево страниц

Сравнение версий

Старая версия 1

Новая версия Текущий

Ключ

Configuration algorithm

IP-GRE tunnel configuration example

Configuration algorithm

Configuration example 1

Objective:

Configuration algorithm

L2TPv3 tunnel configuration example

IPsec VPN configuration

Route-based IPsec VPN configuration algorithm

Route-based IPsec VPN configuration example

Policy-based IPsec VPN configuration algorithm

Policy-based IPsec VPN configuration example

Remote Access IPsec VPN configuration example

Configuration algorithm

Configuration example