Command Reference Guide Crypto Map Manual Command Set
61200510L1-35E Copyright © 2005 ADTRAN 1246
Functional Notes
The inbound local security parameter index (SPI) must equal the outbound remote SPI. The outbound local SPI
must equal the inbound remote SPI. The key values are the hexadecimal representations of the keys. They are
not true ASCII strings. Therefore, a key of 3031323334353637 represents “01234567”.
See the following list for key length requirements.
Algorithm: Minimum key length required:
DES 64-bits in length; 8 hexadecimal bytes
3DES 192-bits in length; 24 hexadecimal bytes
AES-128-CBC 128-bits in length; 16 hexadecimal bytes
AES-192-CBC 192-bits in length; 24 hexadecimal bytes
AES-256-CBC 256-bits in length; 32 hexadecimal bytes
MD5 128-bits in length; 16 hexadecimal bytes
SHA1 160-bits in length; 20 hexadecimal bytes
Technology Review
The following example configures an AOS product for VPN using IPSec manual keys. This example
assumes that the AOS product has been configured with a WAN IP Address of 63.97.45.57 on interface
ppp 1 and a LAN IP Address of 10.10.10.254 on interface ethernet 0/1. The Peer Private IP Subnet is
10.10.20.0.
For more detailed information on VPN configuration, refer to the technical support note
Configuring VPN
located on the ADTRAN OS Documentation CD provided with your unit.
Step 1:
Enter the Global Configuration mode (i.e., config terminal mode).
>enable
#configure terminal
Step 2:
Enable VPN support using the ip crypto command. This command allows crypto maps to be applied to
interfaces, and enables the IKE server to listen for IKE negotiation sessions on UDP port 500.
(config)#ip crypto
Step 3:
Define the transform set. A transform set defines the encryption and/or authentication algorithms to be
used to secure the data transmitted over the VPN tunnel. Multiple transform sets may be defined in a
system. Once a transform set is defined, many different crypto maps within the system can reference it. In
this example, a transform set named highly_secure has been created. This transform set defines ESP
with authentication implemented using 3DES encryption and SHA1 authentication.
(config)#crypto ipsec transform-set highly_secure esp-3des esp-sha-hmac
(cfg-crypto-trans)#mode tunnel