Patton electronic SmartNode 4110 Series ユーザーズマニュアル
VPN configuration task list
367
SmartWare Software Configuration Guide
32 • VPN configuration
Use no in front of the above commands to delete a profile or a configuration entry.
Example: Create an IPsec policy profile
The following example defines a profile for AES-encryption at a key length of 128.
node(cfg)#profile ipsec-policy-manual ToBerne
node(pf-ipsma)[ToBerne]#use profile ipsec-transform AES_128
node(pf-ipsma)[ToBerne]#session-key inbound esp-encryption
1234567890ABCDEF1234567890ABCDEF
node(pf-ipsma)[ToBerne]#session-key outbound esp-encryption
FEDCBA0987654321FEDCBA0987654321
node(pf-ipsma)[ToBerne]#spi inbound esp 1111
node(pf-ipsma)[ToBerne]#spi outbound esp 2222
node(pf-ipsma)[ToBerne]#peer 200.200.200.1
node(pf-ipsma)[ToBerne]#mode tunnel
node(pf-ipsma)[ToBerne]#use profile ipsec-transform AES_128
node(pf-ipsma)[ToBerne]#session-key inbound esp-encryption
1234567890ABCDEF1234567890ABCDEF
node(pf-ipsma)[ToBerne]#session-key outbound esp-encryption
FEDCBA0987654321FEDCBA0987654321
node(pf-ipsma)[ToBerne]#spi inbound esp 1111
node(pf-ipsma)[ToBerne]#spi outbound esp 2222
node(pf-ipsma)[ToBerne]#peer 200.200.200.1
node(pf-ipsma)[ToBerne]#mode tunnel
Creating/modifying an outgoing ACL profile for IPsec
An access control list (ACL) profile in the outgoing direction selects which outgoing traffic to encrypt and/or
authenticate, and which IPsec policy profile to use. IPsec does not require an incoming ACL.
authenticate, and which IPsec policy profile to use. IPsec does not require an incoming ACL.
Note
Outgoing and incoming IPsec traffic passes an ACL (if available) twice, once
before and once after encryption/authentication. So the respective ACLs
must permit the encrypted/authenticated and the plain traffic.
before and once after encryption/authentication. So the respective ACLs
must permit the encrypted/authenticated and the plain traffic.
For detailed information on how to set-up ACL rules, see chapter 24,
Procedure: To create/modify an outgoing ACL profile for IPsec
Mode: Configure
Note
New entries are appended at the end of an ACL. Since the position in the list
is relevant, you might need to delete the ACL and rewrite it completely.
is relevant, you might need to delete the ACL and rewrite it completely.
Example: Create/modify an ACL profile for IPsec
The following example configures an outgoing ACL profile that interconnects the two private networks
192.168.1/24 and 172.16/16.
192.168.1/24 and 172.16/16.
node(cfg)#profile acl VPN_Out
node(pf-acl)[VPN_Out]#permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255 ipsec-
policy ToBerne
node(pf-acl)[VPN_Out]#permit ip any any
node(pf-acl)[VPN_Out]#permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255 ipsec-
policy ToBerne
node(pf-acl)[VPN_Out]#permit ip any any
Step
Command
Purpose
1
node(cfg)#profile acl name
Creates or enters the ACL profile name
2
node(pf-ipstr)[name]#permit ...
[ ipsec-policy name ]
[ ipsec-policy name ]
The expression ‘ipsec-policy name’ appended to a
permit ACL rule activates the IPsec policy profile
name to encrypt/authenticate the traffic identified
by this rule.
permit ACL rule activates the IPsec policy profile
name to encrypt/authenticate the traffic identified
by this rule.