MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual 259
The following example describes the step-by-step VPN configuration for the example network shown in
Figure 3-166.
Enable VPN service 1.
% set services vpn enabled true
Configure IKE policy with auth-method ‘pre-shared-key” with password ‘test123’. 2.
% set services vpn policy IKE-POLICY-1 auth-method pre-shared-key
% set services vpn policy IKE-POLICY-1 pre-shared-key test123
Configure the following cipher suite to be included as proposal for IKE phase-1 negotiation: 3.
a. Encryption Algorithm = AES 128 Bit in CBC mode
b. Message Authentication Algorithm = HMAC using SHA256 digest
c. Diffie-Hellman Group = DH-14 (group 14 modp2048)
% set services vpn ike policy IKE-POLICY-1 ciphersuite CS1 encryption-algo aes-128-cbc
% set services vpn ike policy IKE-POLICY-1 ciphersuite CS1 mac-algo sha256-hmac
% set services vpn ike policy IKE-POLICY-1 ciphersuite CS1 dh-group dh-14
NOTE More than one cipher suite can be included in the proposal.
Create IKE peer with address 172.18.175.40 and dead peer detection enabled and interval set to 5 4.
minutes.
The dead peer detection (DPD) is enabled by default. When enabled, it sends
R_U_THERE/INFORMATIONAL messages to the peer if there no other data sent within DPD
interval. This allows Orbit to detect dead peers and clear the connection. The DPD interval should be
set to no less than 300 seconds (5 minutes) to reduce the periodic traffic in the network.
% set services vpn ike peer VPN-GW ike-policy IKE-POLICY-1
% set services vpn ike peer VPN-GW local-identity default
% set services vpn ike peer VPN-GW peer-endpoint address 172.18.175.40
% set services vpn ike peer VPN-GW peer-identity default
% set services vpn ike peer VPN-GW role initiator
% set services vpn ike peer VPN-GW dpd-interval 300
Create an IPsec policy and configure the following ciphersuite to be included as proposal for IKE 5.
phase-2 negotiation:
- Encryption Algorithm = AES 128 Bit in CBC mode
- Message Authentication Algorithm = HMAC using SHA256 digest
- Diffie-Hellman Group = DH-14 (group-14 (modp 2048)).
% set services vpn ipsec policy IPSEC-POLICY-1 ciphersuite CS1 encryption-algo aes-128-cbc
% set services vpn ipsec policy IPSEC-POLICY-1 ciphersuite CS1 mac-algo sha256-hmac
% set services vpn ipsec policy IPSEC-POLICY-1 ciphersuite CS1 dh-group dh-14
NOTE More than one cipher suite can be included in the proposal.
Create IPsec connection 6.
% set services vpn ipsec connection VPN-GWY-CONN ike-peer VPN-GWY
% set services vpn ipsec connection VPN-GWY-CONN ipsec-policy IPSEC-POLICY-1
% set services vpn ipsec connection VPN-GWY-CONN local-ip-subnet 192.168.1.0/24
% set services vpn ipsec connection VPN-GWY-CONN remote-ip-subnet 192.168.2.0/24
% set services vpn ipsec connection VPN-GWY-CONN filter input IN_TRUSTED
% set services vpn ipsec connection VPN-GWY-CONN filter output OUT_TRUSTED
% set services vpn ipsec connection VPN-GWY-CONN failure-retry-interval 1
To Next Page
Loading...
Need help?
General
