31.7.1
Speci?¬?es the key required
for the tunnel endpoint
NOTE: The VPN tunnel
peer (Edmonton router)
must have one IKE
phase 1 policy that
matches the IKE phase
1 policy in the Winnipeg
router.
Winnipeg(config)#crypto ipsec transform-set
TRANSFORM-0 esp-sha-hmac esp-3des
Creates a transform set for
the IKE phase 2 policy
Winnipeg(cfg-crypto-trans)#mode tunnel Encapsulates the entire
datagram
Winnipeg(cfg-crypto-trans)#exit Exits cfg-crypto-trans mode
Winnipeg(config)#crypto ipsec securityassociation
lifetime seconds 1200
De?¬?nes a 20-minute SA
lifetime
Winnipeg#configure terminal Enters global con?¬?guration
mode
Winnipeg(config)#access-list 100 permit ip
192.168.30.0 0.0.0.255 10.10.30.0 0.0.0.255
De?¬?nes the source and
destination of traf?¬?c that
will use the IPsec tunnel
Con?¬?guring IPsec Site-to-Site VPNs Using CLI 41
Step 4: Con?¬?gure the Crypto Map (IKE Phase 2)
NOTE: The Edmonton tunnel termination router has the following mirrored
programming: tunnel peer IP address, interesting traf?¬?c ACL, and ?¬?rewall ACL
permitting VPN protocols.
Winnipeg(config)#crypto map CRYPTO-MAP-0 1
ipsec-isakmp
De?¬?nes the crypto map
CRYPTO-MAP-0 to use
IPsec with ISAKMP
Winnipeg(config-crypto-map)#set peer
192.
Pages:
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49