• Use the mode command to set the IPSec mode (tunnel or transport). Transport
mode does not add an additional IP header (i.e., a tunnel header), but rather
uses the original packet’s header. However, it can be used only when the VPN
tunnel endpoints are equivalent to the original packet’s source and destination
IP addresses. This is generally the case when using GRE over IPSec. Note
that transport mode cannot be used unless the remote VPN peer supports that
mode and was configured to use it.
Gxxx-001001(config-transform:ts1ts1)# set pfs group2
Done!
Gxxx-001(config-transform:ts1)# set security-association lifetime
seconds
7200
Done!
Gxxx-001(config-transform:ts1)# set security-association lifetime
kilobytes 268435456
Gxxx-001(config-transform:ts1)# mode tunnel
Done!
3. Exit the crypto transform-set context with the exit command.
Gxxx-001(config-transform:ts1)# exit
Gxxx-001#
Configuring ISAKMP peer information
About this task
ISAKMP peer information defines the remote peer identification, the pre-shared key used for
peer authentication, and the ISAKMP policy to be used for IKE phase 1 negotiations between
the peers.
Note:
You can define up to 100 ISAKMP peers.
Important:
Define at least one ISAKMP peer.
Procedure
1. Enter crypto isakmp peer, followed by the address of the ISAKMP peer or its
Fully Qualified Domain Name (FQDN), to enter the context of an ISAKMP peer and
to create the peer if it does not exist.
Note:
If you want to specify the ISAKMP peer by its FQDN name, configure the Branch
Gateway as a DNS client. and verify that the peer’s name is listed in a DNS server.
See DNS resolver on page 74.
IPSec VPN
Administering Avaya G430 Branch Gateway October 2013 489
To Next Page
Loading...
