Support User Manuals

Patton electronic 2800 Network Router User Manual

Open as PDF

of 135

VPN configuration task list 69

OnSite 2800 Series User Manual 6 • VPN configuration

Transport and tunnel modes

The mode determines the payload of the ESP packet and hence the application:

• Transport mode: Encapsulates only the payload of the original IP packet, but not its header, so the IPsec

peers must be at the endpoints of the communications link.

• A secure connection between two hosts is the application of the transport mode.

• Tunnel mode: Encapsulates the payload and the header of the original IP packet. The IPsec peers can be

(edge) routers that are not at the endpoints of the communications link.

A secure connection of the two (private) LANs, a ‘tunnel’, is the application of the tunnel mode.

VPN configuration task list

To configure a VPN connection, perform the following tasks:

• Creating an IPsec transformation profile

• Creating an IPsec policy profile

• Creating/modifying an outgoing ACL profile for IPsec

• Configuration of an IP Interface and the IP router for IPsec

• Displaying IPsec configuration information

• Debugging IPsec

Creating an IPsec transformation profile

The IPsec transformation profile defines which authentication and/or encryption protocols, which authentica-

tion and/or encryption algorithms shall be applied.

Procedure: To create an IPsec transformation profile

Mode: Configure

mac-sha1-96 }Enables authentication and defines the authentication protocol and the hash algorithm

Use no in front of the above commands to delete a profile or a configuration entry.

Example: Create an IPsec transformation profile

The following example defines a profile for AES-encryption at a key length of 128.

2800(cfg)#profile ipsec-transform AES_128

2800(pf-ipstr)[AES_128]#esp-encryption aes-cbc 128

Step Command Purpose

1 node(cfg)#profile ipsec-transform name Creates the IPsec transformation profile name

2

optional

node(pf-ipstr)[name]#esp-encryption {

aes-cbc | des-cbc | 3des-cbc } [key-length]

Enables encryption and defines the encryp-

tion algorithm and the key length

3

optional

node(pf-ipstr)[name]#{ ah-authentication

| esp-authentication } {hmac-md5-96 |

hmac-sha1-96 }

Enables authentication and defines the

authentication protocol and the hash algo-

rithm

previous next