Reset Search
 

 

Article

How to Configure XSR NEM VPN Tunnel using EZIPSEC

« Go Back

Information

 
TitleHow to Configure XSR NEM VPN Tunnel using EZIPSEC
Objective
Configure a VPN connection between two sites, each has an XSR router, one site has a static IP address while the other has a dynamic IP address.
Environment
  • Two XSR
  • One has a static IP address
  • One has a dynamic IP address
Procedure
Use the EZIPSEC method as follows:
 
1: Configure the Central site router having static IP address assignment from ISP:
 
 
access-list 150 permit ip   any 192.0.2.0 0.0.0.255      !  Local LAN - VPN Tunnel Subnet
access-list 151 permit ip   any 203.0.113.128 0.0.0.255   !   Local LAN - Remote LAN

ip local pool EZ_Subnet 192.0.2.0 255.255.255.0
exclude 192.0.2.1

crypto isakmp proposal PreShared
authentication pre-share

crypto isakmp peer 0.0.0.0 0.0.0.0
proposal PreShared
config-mode gateway
nat-traversal automatic

crypto ipsec transform-set EZ_TransForms esp-3des esp-sha-hmac
set pfs group1
set security-association lifetime kilobytes 28800
no set security-association lifetime seconds

crypto ipsec transform-set TransForms esp-3des esp-sha-hmac
no set security-association lifetime kilobytes

crypto map ezipsec 151
set transform-set EZ_TransForms
match address 151

crypto map ezipsec 150
set transform-set EZ_TransForms
match address 150


interface FastEthernet1
ip address 203.0.113.1 255.255.255.128
no shutdown

interface FastEthernet2
crypto ezipsec
description "Public_Cloud"
ip address 198.51.100.10 255.255.255.0
no shutdown

interface Vpn150 multi-point
description "EZ_VPN"
ip address 192.0.2.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 fastethernet 2

aaa group EZ_Group
ip pool EZ_Subnet
policy vpn

aaa user EZ_Remote1
group EZ_Group
password Shar3dS3r3t
 
2. Configure the Remote site having dynamic IP address assignment from ISP:
 
interface FastEthernet1
description "Local_LAN"
ip address
203.0.113.129 255.255.255.128
no shutdown

interface FastEthernet2
description "Public_Interface"
crypto ezipsec
ip address dhcp
no shutdown

interface Vpn1 point-to-point
tunnel "To_Central_Site"
set user "EZ_Remote1"
set protocol ipsec network-extension-mode
set active
set peer 198.51.100.10
ip address negotiated

!IP
ip route 0.0.0.0 0.0.0.0 FastEthernet2

!Fail-Over


aaa user 198.51.100.10
 password Shar3dS3r3t
Additional notes
  • In the samples above the public side interfaces of both routers are in the same IP subnet range for simplicity of setting this up for a bench test.
  • In the central site router, the two ACLs permit the remote site to build IP Sec Security Associations with both the central site LAN subnet and the VPN IP address subnet.
  • The IP address range should be adequate to cover all the central site subnets to which the remote site users are to have access.  
  • If multiple non-contiguous subnets exist then there must be a separate ACL and matching crypto map for each.
  • The Crypto map name must be "ezipsec" - Although this name can be chosen arbitrarily for other types of VPN connections, in this configuration it MUST be "ezipsec" to assure correct performance.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255