VPN configuration task list 69
OnSite 2800 Series User Manual 6 • VPN configuration
Transport and tunnel modes
The mode determines the payload of the ESP packet and hence the application:
• Transport mode: Encapsulates only the payload of the original IP packet, but not its header, so the IPsec
peers must be at the endpoints of the communications link.
• A secure connection between two hosts is the application of the transport mode.
• Tunnel mode: Encapsulates the payload and the header of the original IP packet. The IPsec peers can be
(edge) routers that are not at the endpoints of the communications link.
A secure connection of the two (private) LANs, a ‘tunnel’, is the application of the tunnel mode.
VPN configuration task list
To configure a VPN connection, perform the following tasks:
• Creating an IPsec transformation profile
• Creating an IPsec policy profile
• Creating/modifying an outgoing ACL profile for IPsec
• Configuration of an IP Interface and the IP router for IPsec
• Displaying IPsec configuration information
• Debugging IPsec
Creating an IPsec transformation profile
The IPsec transformation profile defines which authentication and/or encryption protocols, which authentica-
tion and/or encryption algorithms shall be applied.
Procedure: To create an IPsec transformation profile
Mode: Configure
mac-sha1-96 }Enables authentication and defines the authentication protocol and the hash algorithm
Use no in front of the above commands to delete a profile or a configuration entry.
Example: Create an IPsec transformation profile
The following example defines a profile for AES-encryption at a key length of 128.
2800(cfg)#profile ipsec-transform AES_128
2800(pf-ipstr)[AES_128]#esp-encryption aes-cbc 128
Step Command Purpose
1 node(cfg)#profile ipsec-transform name Creates the IPsec transformation profile name
2
optional
node(pf-ipstr)[name]#esp-encryption {
aes-cbc | des-cbc | 3des-cbc } [key-length]
Enables encryption and defines the encryp-
tion algorithm and the key length
3
optional
node(pf-ipstr)[name]#{ ah-authentication
| esp-authentication } {hmac-md5-96 |
hmac-sha1-96 }
Enables authentication and defines the
authentication protocol and the hash algo-
rithm