IPsec Scenarios on OmniAccess 5740 USG
Except on the first page, right running head:
Heading1 or Heading1NewPage text (automatic)
863
Alcatel-Lucent
Beta Beta
OmniAccess 5740 Unified Services Gateway CLI Configuration Guide
COMPARATIVE STUDY BETWEEN OMNIACCESS 5740 USG AND OTHER SYSTEMS
The IPsec configuration in other systems would involve:
1. Defining a Preshared key.
2. Defining an IKE policy - 3 sub-commands minimum (OmniAccess 5740 USG has
a default IKE policy).
3. Defining a transform-set (in our case, we have a default transform-set).
4. Defining a crypto map - 4 sub-commands (in our case, only 2 sub-commands).
Further, when a show crypto is done, the defaults assumed are shown with a
“!” at the beginning of the line. This would help in knowing whether the value was
set or assumed.
Another point to note is that the OmniAccess 5740 USG does not support AH in
IPsec. AH is a very weak mechanism and hence is not used in most modern
systems.
E
DITING A MATCH-LIST ATTACHED TO THE CRYPTO MAP
ALU(config)# match-list tunnel
ALU(config-match-list-tunnel)# 1 ip prefix 10.91.0.0/24 prefix
10.0.0.0/24
ALU(config)# crypto map cryp-tunnel ipsec-ike default
ALU(config-crypto-map-cryp-tunnel)# match tunnel
Now, if we want to tunnel traffic from 192.168.0.0/24 to 10.0.0.0/24
ALU(config)# match-list tunnel
ALU(config-match-list-tunnel)# 1 ip prefix 10.91.0.0/24
prefix 10.0.0.0/24
ALU(config-match-list-tunnel)# 2 ip prefix 192.168.0.0/24
prefix 10.0.0.0/24
This will not work as the crypto map accepts only the first configured rule in the
match-list. Hence, you should configure another match-list with the new rule and
configure this into a new crypto map.
Alternatively, you can modify the same rule.
ALU(config)# match-list tunnel
ALU(config-match-list-tunnel)# 1 ip prefix 10.91.0.0/24
prefix 10.0.0.0/24
ALU(config-match-list-tunnel)# 1 ip prefix 192.168.0.0/24
prefix 10.0.0.0/24
Note: The crypto map supports only one rule in a match-list.
To Next Page
Loading...
Need help?
General
