ADTRAN Stub Routing Spezifikationen PDF herunterladen (Seite 257)

Command Reference Guide IKE Policy Command Set

Technology Review

The following example configures an ADTRAN OS product for VPN using IKE aggressive mode with

pre-shared keys and mode config support (i.e., IPv4 address, primary and secondary DNS, and NBNS

addresses). The ADTRAN OS product can be set to initiate IKE negotiation in main mode or aggressive mode.

The product can be set to respond to IKE negotiation in main mode, aggressive mode, or any mode. In this

example, the device is configured to initiate in aggressive mode and to respond to any mode.

This example assumes that the ADTRAN OS product has been configured with a WAN IP Address of

192.168.1.1 on interface

ethernet 0/1

and a LAN IP Address of 10.10.10.254 on interface

ethernet 0/2

. The

Peer Private IP Subnet is 10.10.20.0.

For more detailed information on VPN configuration, refer to the technical support note Configuring VPN

located on the

NetVanta 3000 Series System Manual

CD provided with your unit.

Step 1:

Enter the Global configuration mode (i.e., config terminal mode).

>enable

#configure terminal

Step 2:

Enable VPN support using the

ip crypto

command. This command allows crypto maps to be applied to

interfaces, and enables the IKE server to listen for IKE negotiation sessions on UDP port 500.

(config)#ip crypto

Step 3:

Set the local ID. During IKE negotiation, local-ids are exchanged between the local device and the peer device.

In the ADTRAN OS, the default setting for all local-ids is configured by the

crypto ike local-id

command. The

default setting is for all local-ids to be the IPv4 address of the interface over which the IKE negotiation is

occurring. In the future, a unique system-wide Hostname or Fully Qualified Domain Name could be used for all

IKE negotiation.

(config)#crypto ike local-id address

Step 4:

Create IKE policy. In order to use IKE negotiation, an IKE policy must be created. Within the system, a list of

IKE policies is maintained. Each IKE policy is given a priority number in the system. That priority number

defines the position of that IKE policy within the system list. When IKE negotiation is needed, the system

searches through the list, starting with the policy with priority of 1, looking for a match to the peer IP address.

An individual IKE policy can override the system local-id setting by having the

local-id

command specified in

the IKE policy definition. This command in the IKE policy is used to specify the type of local-id and the local-id

data. The type can be of IPv4 address, Fully Qualified Domain Name, or User-Specified Fully Qualified

Domain Name.

An IKE policy may specify one or more peer IP addresses that will be allowed to connect to this system. To

specify multiple unique peer IP addresses, the

peer A.B.C.D

command is used multiple times within a single

IKE policy. To specify that all possible peers can use a default IKE policy, the

peer any

command is given

instead of the

peer A.B.C.D

command inside of the IKE policy. The policy with the

peer any

command

specified will match to any peer IP address (and therefore should be given the highest numerical priority

number). This will make the policy the last one to be compared against during IKE negotiation.

1 2 ... 252 253 254 255 256 257 258 259 260 261 262 ... 567 568

Kommentare zu diesen Handbüchern

Keine Kommentare

ADTRAN Stub Routing Spezifikationen Seite 257

Kommentare zu diesen Handbüchern

Verwandte Produkte und Handbücher für Vernetzung ADTRAN Stub Routing