IPsec VPN Configuration
Except on the first page, right running head:
Heading1 or Heading1NewPage text (automatic)
819
Alcatel-Lucent
Beta Beta
OmniAccess 5740 Unified Services Gateway CLI Configuration Guide
IPSEC CONFIGURATION COMMANDS
This section details the commands used in configuring IPsec VPN.
TO CONFIGURE THE MATCH-LISTS
To get a concise and terse outlook on the methods to configure the match-lists,
please refer “Common Classifiers” chapter in this guide.
To specify the subnets, which need to communicate with each other, match-list
(access-list) needs to be configured. This match-list is called by the crypto map
command.
In the OmniAccess 5740 USG, a wide variety of match-lists can be defined.
However, a well-defined subset of match-lists can be used for IPsec tunnel. A
match-list should not have ‘any any’ option. The match-list should not contain
multiple rules or another nested match-list/list. However, these constraints can be
overcome by applying multiple crypto maps to the same interface.
A rule should not have the ‘port range’ or ‘interfaces’ keywords.
For Example:
match-list m1
ip prefix 10.0.0.0/8 prefix 9.0.0.0/8
IPSEC CONFIGURATION WITH PRESHARED KEY
Note: The IKE key is given by means of a key-string. Currently, the preshared-key length is
restricted to 128 characters, and the minimum length is 8 characters.
DNS client configuration is prerequisite for configuring peer as FQDN. For FQDN
resolution, “ip domain-lookup” and “ip name-server” commands should be configured.
This name server should be reachable by the system. For more information on DNS
client configuration, refer to “DNS (Domain Name Service) Client”
Command (in CM) Description
crypto ike key <key-string>
[vrf <name>] peer {<peer-
address>|<FQDN>}[force]
This command is used to configure a pre-
shared key.
The key is same on both the IPsec
gateways. It is denoted in the form of a
key-string.
The peer can either be an IP address or
fully qualified domain name (FQDN) of the
peer at the remote end.
The “force“ keyword edits or modifies the
IKE keys, which are already configured.
no crypto ike key <key-
string> [vrf <name>] peer
{<peer-address>|<FQDN>}
This ‘no’ command removes the
configured pre-shared key.
To Next Page
Loading...
Need help?
General
