FutureNet NXR,WXR設定例集
Contents
1. 148 235 3 L2TP IPsec 3 2 L2TP IPsec CRT NXR nxr120 configure termina Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR NXR config tinterface ethernet 0 NXR config if tip address 192 168 10 1 24 NXR config if itexit NXR config itip route 0 0 0 0 0 ppp 0 NXR config itip access list pppO in permit any 10 10 10 1 udp 500 500 NXR config tip access list pppO in permit any 10 10 10 1 50 NXR config itipsec x509 enable NXR config ipsec x509 ca certificate nxrCA fp 192 168 10 10 nxrCA pem NXR config ipsec x509 crl nxrCA ftp 192 168 10 10 nxrCRL pem NXR config ipsec x509 certificate nxr ftp 192 168 10 10 nxrCert pem NXR config ipsec x509 private key nxr key ftp 192 168 10 10 nxrKey pem NXR config ipsec x509 private key nxr password nxrpass NXR config ipsec local policy 1 NXR config ipsec local address ip NXR config ipsec local x509 certificate nxr NXR config ipsec local exit NXR config ipsec isakmp policy 1 NXR config ipsec isakmp description smartphone NXR config ipsec isakmp authentication rsa sig NXR config ipsec isakmp hash sha1 NXR2. UDP 500 4500 IPsec NAT 5 XIPsec NAT gt NXR config ipsec nat traversal enable NAT 6 lt IPsec gt NXR config ipsec local policy 1 IPsec 1 NXR config ipsec local address ip IPsec IP IP ipsec policy 1 IP 160 235 3 L2TP IPsec 3 3 L2TP IPsec NAT 7 XIPsec ISAKMP 1 gt NXR config ipsec isakmp policy 1 ISAKMP 1 NXR config ipsec isakmp description smartphone ISAKMP 1 smartphone
3. IPsec IP 192 168 30 0 24 IP 192 168 10 0 24 127 235 2 Route Based IPsec 2 8 IPsec OSPF 3 gt NXR C config itinterface tunnel 1 1 NXR_O config tunnel ip address 192 168 30 1 32 1 IP 192 168 30 1 32 OSPF 97 LANCEthernet0 IP 32 NXR_O config tunnel tunnel mode ipsec ipv4 Route Based IPsec ipsec ipv4 NXR_O co
4. auto NXR_A config ipsec tunnel set transform esp aes128 esp sha1 hmac IPsec esp aes128 esp sha1 hmac NXR _A config ipsec tunnel set pfs group5 PFS Perfect Forward Secrecy DH PFS DH groups NXR _A config ipsec tunnel set sa lifetime 3600 IPsec SA 3600 NXR A config ipsec tunnel itset key exchange isakmp 1 ISAKMP ISAKMP 1 NXR A config ipsec tunnel itmatch address LAN B IPsec IPsec LAN B 14
5. ESP IPsec Policy Based IPsec IP SPD NAT NAT SNAT NAT DNAT IP OSPF Policy Based IPsec GRE IPIP over IPsec Route Based IPsec NXR WXR 2013 4 5 235 NXR IPsec Policy Based IPsec Route Based IPsec Policy Based IPsec Route Based IPsec Policy Based IPsec Route Based IPsec Set route O x x O x policy ignore O AMENS S
6. IP smartphoneip 13 lt L2TPv2 gt NXR config itl2tp udp source port 1701 L2TPv2 1701 NXR config itl2tp 1 L2TP1 NXR config 2tp tunnel mode Ins L2TPv2 LNS 136 235 3 L2TP IPsec 3 1 L2TP IPsec NXR config 2tp unnel address any ipsec IP IPsec IPsec SA NXR config I2tp ittunnel virtua template 0 LNS virtual template 0 14 WAN ppp0 gt NXR config interface ppp 0 WAN ppp0 NXR config ppp ip address 10 10 10
7. ID nxrc fadn ART 7 XIPsec ISAKMP 1 gt NXR_O config ipsec isakmp policy 1 NXR A IPsec ISAKMP 1 NXR C config ipsec isakmp tdescription NXR_A ISAKMP 1 NXR A NXR C config ipsec isakmp stauthentication pre share ipseckey2 LT pre share ipseckey2 NXR_A NXR_O config ipsec isakmp hash sha1 shal NXR C config ipsec isakmp tencryption aes128 aes128 NXR C config ipsec isakmp stgroup 5 Diffie Hellman DH group 5 NXR C config ipsec isakmp ttlifetime 10800 ISAKMP SA 10800 NXR C co
8. 115 2 8 IPsec OSPE 119 ORIG 129 8 1 L2TP IPsec tette th traen teas aeta aad 130 3 2 L2TP IPsec CRT kk 147 8 3 L2TP IPsec NAT K H JILETENN aa 157 Di HAE 167 168 L2TP IPsec 178 show config kk 176 K eil EE 231 kk 232 6002 234 2 235 FutureNet FutureNet NXR WXR NXR 120 C NXR 125 CX NXR 130 C NXR 155 C WM NXR 155 C XW
9. lt gt nxr120 show ipsec status 000 tunnel1 192 168 30 0 24 10 10 30 1 nxrc 10 10 10 1 10 10 10 1 192 168 10 0 24 erouted eroute owner 2 000 tunnel1 ike life 108005 ipsec life 3600s margin 2705 inc ratio 100 000 tunnell newest ISAKMP SA 1 newest IPsec SA 2 000 tunnel1 IKE proposal AES CBC 128 HMAC SHA1 MODP 1536 000 tunnell ESP proposal AES CBC 128 HMAC SHA1 MODP 1536 000 000 2 tunnel1 STATE QUICK 12 sent GI2 IPsec SA established EVENT SA REPLACE in 3212s newest IPSEC eroute owner 000 2 tunnell esp 7a5cb4c1 10 10 10 1 0 bytes esp 9867e772 10 10 30 1 0 bytes tunnel 000 1 tunnell STATE AGGR I2 sent AI2 ISAKMP SA established EVENT SA REPLACE in 102915 newest ISAKMP 000 Connections Security Associations none e show syslog message info debug IPsec gt
10. IP NAPT NXR NAT IPsec 192 168 10 100 192 168 20 100 LAN_A 192 168 10 0 24 LAN_B 192 168 20 0 24 Eth0 ppp0 GW Eth1 Eth0 192 168 10 1 10 10 10 1 192 168 120 254 192 168 120 1 192 168 20 1 Route Based IPsec Policy Based IPsec RIPv1 v2 0SPF BGP 1 6 IPsec NAT NAT IP SPI DNS 109 235 2 Route Based IPsec 2 6 IPsec NAT NXR A nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR A NXR A config itinterface ethernet 0 NXR A config if i
11. DPD NXR IPsec DPD 30 3 keepalive SA IKE NXR A config ipsec isakmp ttlocal policy 1 IPsec IPsec 1 9 lt IPsec gt NXR A config ifipsec tunnel policy 1 NXR B IPsec 1 NXR_A config ipsec tunnel description NXR B 1 NXR B NXR _A config ipsec tunnel negotiation mode auto IPsec
12. ESP SHA1 HMAC ESP AES128 Diffie Hellman DH Group5 3600 s ipseckey NXR_B WAN IP IP ID 17 235 1 Policy Based IPsec 1 2 IP AggressiveMode NXRA ISAKMP remote identity NXR_B IPsec self identity identity IKE NXR self identity NXR remote identity 18 235 1 Policy Based IPsec 1 2 Sg IP AggressiveMode NXR A nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR A NXR A config itinterface ethernet 0 NXR A config if itip address 192 168
13. IP IPsec IPsec LANA IP 192 168 20 0 24 IP 192 168 10 0 24 5 lt 1 gt B config itipsec local policy 1 B config ipsec local taddress ip IPsec 1 IPsec IP IP ipsec policy 1 IP 6 XIPsec ISAKMP gt NXR_B config ipsec isakmp policy 1 NXR_B config ipsec isakmp description NXR A B config ipsec isakmp ftauthentication pre share ipseckey B config ipsec isakmp tthash sha1 B config ipsec isakmp tencryption aes128 NXR B config ipsec isakmp ttgroup 5 B config ipsec isakmp ttlifetime 10800 NXR B config ipsec isakmp tisakmp mode main B config ipsec isakmp itremote address ip 10 10 10 1 B config ipsec isakmp ttkeepalive 30 3 periodic restart B config ipsec isakmp ttlocal policy 1 NXR A
14. Route Based IPsec ipsec ipv4 NXR _B config tunnel tunnel protection ipsec policy 1 IPsec IPsec 1 ipsec policy 1 s IPsec NXR B config tunnel ttip tcp adjust mss auto TCP MSS TCP MSS TCP MSS TCP 113 235 2 Route Based IPsec 2 6 IPsec NAT LAN A LAN B IP 192 168 10 100 192 168 20 100 255 255 255 0 255 255 255 0 192 168 10 1 192 168 20 1 114 235 2 Route Based IPsec 2 7 IPse
15. WAN IP IP ID ID nxrb fadn NXR A config ipsec isakmp ttkeepalive 30 3 periodic clear IKE KeepAlive DPD DPD Dead Peer Detection ISAKMP SA SG WAN SA SA DPD NXR IPsec DPD 30 3 keepalive SA IKE NXR A config ipsec isakmp ttlocal policy 1 IPsec IPsec 1 7 lt 1
16. 3 IPsec IPsec SA IPsec IPsec Ping Ex NXR lt 1 VPN VPN VPN 2 NXR terminal width 180 terminal no width NXR show syslog
17. NXR config ppp ip spi filter WAN NXR config ppp ttip tcp adjust mss auto TCP MSS NXR config ppp no ip redirects ICMP NXR config ppp ppp username test1 centurysys PPPoE ID PPP test1 centurysys NXR config
18. tunnel 1 2 lt 1 gt NXR_A config ipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 Policy Based IPsec IPsec IPsec ESP Route Based IPsec IPsec IKE 2 ID sr Route Based IPsec ESP IPsec lt IPsec LAN B IP 192 168 10 0 24 IP 192 168 20 0 24 3 gt NXR A config itinterface tunnel 1 1 NXR A config tunnel tttunnel mode ipsec ipv4 Route Based IPsec ipsec ipv4
19. 175 235 show config show config 1 1 IP MainMode NXR A Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname _ telnet server enable http server enable 1 ipv6 forwarding no fast forwarding enable 1 1 ipsec local policy 1 address ip 1 ipsec isakmp policy 1 description NXR B authentication pre share ipseckey hash shal encryption aes128 group 5 isakmp mode main remote address ip 10 10 20 1 local policy 1 1 I ipsec tunnel policy 1 description NXR B set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN B 1 I interface ethernet 0 ip address 192 168 10 1 24 1 interface ethernet 1 ip address 10 10 10 1 24 ipsec policy 1 dns service enable 1 syslog local enable I 1 1 system led ext 0 signal level mobile 0 I 1 1 176 235 show config ip route 0 0 0 0 0 10 10 10 254 I ipsec access list LAN_B ip 192 168 10 0 24 192 168 20 0 24 1 1 1 end NXR B Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname NXR_B telnet server enable http server enable 1 ipv6 forwarding no fast forwarding e
20. E Eu dc CETT ACT ill SoftBank 14 08 ORJA S u IECH kd z iCloud 142 235 3 L2TP IPsec 3 1 L2TP IPsec 3 TVPN SoftBank 14 09 Siri gt VPN gt iTunes Wi Fi gt Spotlight 4 VPN VPN test VPN mil SoftBank 14 09 E test d VPN 143 235 3 L2TP IPsec 3 1 L2TP IPsec 5 L2TP SoftBank L2TP PPTP NXR L2TP IPsec PSK 10 10 10 1 ios01 RSA SecurlD eeeeeeeee eeeeeeee
21. NXR A IPsec 1 tunnel 1 2 lt IPsec gt NXR_B config ipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 Policy Based IPsec IPsec IPsec ESP Route Based IPsec IPsec IKE 2 ID sr Route Based IPsec ESP IPsec lt IPsec LAN_A IP 192 168 20 0 24 IP 192 168 10 0 24 3 gt NXR B config itinterface tunnel 1 1 NXR B config tunnel tttunnel mode ipsec ipv4
22. CLI copy GUI 3 235 Version 1 0 0 NXR 120 C Ver5 22 2 3 L2TP IPsec T IPsec L2TP IPsec show config FutureNet 4 235 NXR IPsec NXR IPsec NXR 2 IPsec XR Policy Based IPsec
23. LAN A LAN B LAN C IP 192 168 10 100 192 168 20 100 192 168 30 100 255 255 255 0 255 255 255 0 255 255 255 0 192 168 10 1 192 168 20 1 192 168 30 1 64 235 1 Policy Based IPsec 1 6 IPsec NAT 1 6 IPsec NAT NXR IP IP NAPT NXR NAT IPsec 192 168 10 100 192 168 20 100 LAN_A 192 168 10 0 24 LAN_B 192 168 20 0 24 Te s Eth0 ppp0 GW Eth1 Eth0 192 168 10 1 10 10 10 1 192 168 120 254 192 168 120 1 192 168 20 1 NXR_B IKE NAT NXR_A B
24. NXR A config tunnel ttip tcp adjust mss auto TCP MSS 125 235 2 Route Based IPsec 2 8 IPsec OSPF NXR B 2 5 PPPoE IPsec NXR_B 1 lt OSPF gt NXR _B config router ospf OSPF NXR _B config router router id 172 31 0 2 OSPF ID NXR _B config router network 192 168 20 0 24 area 0 OSPF 192 168 20 0 24 0 OSPF NXR _B config router passive interface ethernet 0 Ethernet0 Ethernet0 LAN OSPF Ethernet0
25. NXR_C config ipsec isakmp ocal policy 1 IPsec IPsec 1 8 lt IPsec 1 gt NXR C config itipsec tunnel policy 1 NXR A IPsec 1 NXR_C config ipsec tunnel description NXR A 1 NXR_C config ipsec tunnel negotiation mode auto IPsec auto NXR_C config ipsec tunnel set transform esp aes128 esp sha1 hmac IPsec
26. IPsec 1 44 235 1 Policy Based IPsec 1 4 X 509 LAN A LAN B IP 192 168 10 100 192 168 20 100 255 255 255 0 255 255 255 0 192 168 10 1 192 168 20 1 45 235 1 Policy Based IPsec 1 5 PPPoE IPsec 1 5 PPPoE IPsec PPPoE IPsec 1 NXR_A NXR B NXR_A NXR_C IPsec SPI NAT IP DNS LAN B 192 168 20 0 24 0 NXR B ppp 10 10 20 1 LAN A 192 168 10 0 24 Eth0 192 168 20 1 192 1
27. 1 gt NXR A config itip route 192 168 20 0 24 tunnel 1 IPsec IP IPsec IPsec LAN B NXR B IPsec 1 tunnel 1 2 lt IPsec gt NXR A config itipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 Policy Based IPsec IPsec IPsec ESP Route Based IPsec IPsec IKE 2 ID Lei Route Based IPsec ESP IPsec lt
28. NXR B config tunnel tttunnel mode ipsec ipv4 Route Based IPsec ipsec ipv4 NXR _B config tunnel tunnel protection ipsec policy 1 IPsec IPsec 1 ipsec policy 1 S IPsec NXR B config tunnel ttip tcp adjust mss auto TCP MSS TCP MSS TCP MSS TCP 98 235 2 Route Based IPsec 2 4 X 509 LAN A LAN B IP 192 168 10 100 192 168 20 100 255 255 255 0 2
29. tunnel 1 2 lt 1 gt NXR_A config ipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 Policy Based IPsec IPsec IPsec ESP Route Based IPsec IPsec IKE 2 ID sr Route Based IPsec ESP IPsec lt IPsec LAN B IP 192 168 10 0 24 IP 192 168 20 0 24 3 gt NXR A config itinterface tunnel 1 1 NXR A config tunnel tttunnel mode ipsec ipv4 Route Based IPsec ipsec ipv4 N
30. Copyright c 2009 2013 Century Systems Co Ltd All Rights Reserved
31. IPsec 1 7 lt IPsec 1 gt NXR config itipsec tunnel policy 1 1 NXR config ipsec tunnel description smartphone 1 smartphone NXR config ipsec tunnel set transform esp aes128 esp sha1 hmac IPsec esp aes128 esp sha1 hmac NXR config ipsec tunnel no set pfs PFS Perfect Forward Secrecy DH PFS 134 235 3 L2TP IPsec 3 1 L2TP IPsec NXR config ipsec tunnel set sa lifetime 28800 IPsec SA 28800 NXR config ipsec tunnel set key exchange isakmp 1 ISAKMP
32. 3600 NXR B config ipsec tunnel itset key exchange isakmp 1 ISAKMP ISAKMP 1 NXR _B config ipsec tunnel match address LAN IPsec IPsec LANA 9 lt 0 gt NXR B config tinterface ppp 0 NXR_B config ppp ip address 10 10 20 1 32 NXR_B config ppp ip masquerade B config ppp ip access group in pppO in NXR B config ppp ttip spi filter NXR B config ppp ttip tcp adjust mss auto NXR _B config ppp no ip redirects B config ppp tppp authentication auto B config ppp tppp username test2 centurysys password test2pass B config ppp fipsec policy 1 ppp0 IP IP 10 10 20 1 32 IP NAT IP ppp0 in in
33. IPsec ipsec policy N N IPsec ISAKMP IPsec local policy N N IPsec IPsec ISAKMP set key exchange isakmp N N ISAKMP 1 IPsec match address WORD WORD IPsec IPsec Route Based IPsec tunnel protection ipsec policy N N IPsec IPsec tunnel mode ipsec ipv4 7 235 zo 1 Policy Based IPsec
34. 73 235 1 Policy Based IPsec 1 6 IPsec NAT NXR_B config ipsec tunnel set transform esp aes128 esp sha1 hmac IPsec esp aes128 esp sha1 hmac NXR _B config ipsec tunnel set pfs group5 PFS Perfect Forward Secrecy DH PFS DH group5 NXR_B config ipsec tunnel set sa lifetime 3600 IPsec SA 3600 NXR B config ipsec tunnel itset key exchange isakmp 1 ISAKMP ISAKMP 1 NXR _B config ipsec tunnel match address LAN IPsec IPsec LANA 9 lt Ethernet1 gt NXR_B config interface ethernet 1 NXR_
35. group 5 NXR A config ipsec isakmp ttlifetime 10800 ISAKMP SA 10800 NXR_A config ipsec isakmp jsakmp mode main 1 RSA NXR A config ipsec isakmp itremote address ip 10 10 20 1 NXR WAN NXR WAN IP 10 10 20 1 A config ipsec isakmp tremote identity fqdn nxrb identity ID nxrb fqdn NXR A config ipsec isakmp tkeepalive 30 3 periodic restart 30 235 1 Policy Based IPsec 1 3 RSA IKE KeepAlive DPD DPD Dead Peer Detection ISAKMP SA NXR WAN SA SA
36. ppp0 9 RAS 0 gt NXR config access server profile 0 0 NXR config ras ppp username android01 ip 172 16 0 10 android01 172 16 0 10 IP 10 RAS 1 gt NXR config itaccess server profile 1 1 NXR config ras ppp username ios01 ip 172 16 0 11 135 235 3 L2TP IPsec 3 1 L2TP IPsec ios01 172 16 0 11 IP 11 lt IP gt NXR config ip local pool smartphoneip address 172 16 0 10 172 16 0 11 IP IP smartphoneip 172 16 0 10 172 16 011 IP 12 virtual template 0 gt NXR config interface virtua template
37. lt gt NXR show ipsec status 000 tunnel1 10 10 10 1 10 10 10 1 17 1701 17 unrouted eroute owner 0 000 tunnell ike life 864005 ipsec life 288005 margin 2705 inc ratio 100 000 tunnell newest ISAKMP SA 0 newest IPsec SA 0 000 tunneli 1 10 10 10 1 10 10 10 1 17 1701 10 10 20 10 10 10 20 10 17 50891 erouted eroute owner 2 000 tunneli 1 ike life 864005 ipsec life 288005 margin 270s inc ratio 100 000 tunneli 1 newest ISAKMP SA 1 newest IPsec SA 2 000 tunneli 1 IKE proposal AES CBC 256 HMAC SHA1 MODP 1024 000 Tunnel DL ESP proposal AES CBC 256 HMAC SHA1 XN A 000 000 2 tunnell 1 10 10 20 10 STATE QUICK R2 IPsec SA established EVENT SA REPLACE in 3451s newest IPSEC eroute owner 000 2 tunnel1 DT 10 10 20 10 esp 26594af 10 10 20 10 528 bytes 14s ago esp 44242e17 10 10 10 1 562 bytes 14s ago transport 000 1 tunneli 1 10 10 20 10 STATE MAIN R3 sent ISAKMP SA established EVENT SA REPLACE in 3449s newest ISAKMP 000 Connections Security Associations none L2TP show I2tp lt gt NXR show l2tp NumL2TPTunnels 1 Tunnel MyID 62277 AssignedID 8 NumSessions 1 PeerIP 10 10 20 10 State established Session LNS MyID 48685 AssignedID 1055
38. IPsec ESP Route Based IPsec IPsec IKE 2 ID s Route Based IPsec ESP IPsec lt IPsec LAN B IP 192 168 10 0 24 IP 192 168 20 0 24 fTHI IPsec LAN C IP 192 168 10 0 24 IP 192 168 30 0 24 3 1 gt NXR A config itinterface tunnel 1 1 NXR_A config tunnel tunnel mode ipsec ipv4 Route Based IPsec ipsec ipv4 NXR_A config tunnel tunnel protection ipsec policy 1 IPsec
39. Ethernet0 IP 10 3 down 2 lt IPsec ISAKMP gt NXR B config ipsec isakmp ttnetevent 1 reconnect ISAKMP 1 track NXR track 1 Ping IPsec m IPsec IKE IPsec tunnel IPsec ISAKMP LAN B IP 192 168 10 100 192 168 20 100 255 255 255 0 255 255 255 0 192 168 10 1 192 168 20 1 118 235 2 Route Based IPsec 2 8 IPsec
40. auto NXR_A config ipsec tunnel set transform esp aes128 esp sha1 hmac IPsec esp aes128 esp sha1 hmac NXR _A config ipsec tunnel set pfs group5 PFS Perfect Forward Secrecy DH PFS DH groups NXR _A config ipsec tunnel set sa lifetime 3600 IPsec SA 3600 NXR A config ipsec tunnel itset key exchange isakmp 1 ISAKMP ISAKMP 1 NXR _A config ipsec tunnel match address LAN B IPsec 31 235 1 Policy Based IPsec 1 3 RSA IPsec
41. NXR B config tunnel tttunnel mode ipsec ipv4 Route Based IPsec ipsec ipv4 NXR_B config tunnel tunnel protection ipsec policy 1 IPsec IPsec 1 ipsec policy 1 s IPsec NXR B config tunnel ttip tcp adjust mss auto TCP MSS TCP MSS TCP MSS TCP 80 235 2 Route Based IPsec 2 1 IP MainMode LAN A LAN B IP 192 168 10 100 192 168 20 100 255 255 255 0 255 255 255
42. TCP MSS TCP MSS TCP 86 235 2 Route Based IPsec 2 2 IP AggressiveMode LAN A LAN B IP 192 168 10 100 192 168 20 100 255 255 255 0 255 255 255 0 192 168 10 1 192 168 20 1 87 235 2 Route Based IPsec 2 3 RSA 2 3 RSA IKE 1 RSA RSA IKE 1 LAN A 192 168 10 0 24 LAN_B 192 168 20 0 24 MRA L NXR_B 192 168 10 100 BENE 10 10 10 254 10 10 20 254 Eth1 192 168 10 1 10 10 10 1 10 10 20 1 192 168 20 1 192 168 20
43. 10 lt NXR_A gt NXR_A config ipsec x509 private key nxra password nxrapass NXR A nxrapass hidden 11 lt IPsec gt NXR A config tipsec local policy 1 IPsec 1 NXR A config ipsec local itaddress ip IPsec IP IP ipsec policy 1 IP NXR_A config ipsec local x509 certificate nxra X 509 8 NXR A certificate name nxra NXR A config ipsec local itself identity dn C JP CN nxra E nxra example com identity 509 identity DN Distinguished Name DN subject
44. IP IPsec IPsec LANB IP 192 168 10 0 24 IP 192 168 20 0 24 IPsec LANC IP 192 168 10 0 24 IP 192 168 30 0 24 6 XIPsec gt NXR A config itipsec local policy 1 51 235 1 Policy Based IPsec 1 5 PPPoE IPsec IPsec 1 NXR A config ipsec local itaddress ip IPsec IP IP ipsec policy 1 IP 7 lt 1 ISAKMP 1 gt NXR_A config psec isakmp policy 1 NXR_B IPsec ISAKMP 1 NXR_A config ipsec isakmp description NXR B ISAKMP 1 NXR B
45. NXR config ipsec isakmp authentication pre share ipseckey pre share ipseckey NXR config ipsec isakmp hash sha1 sha1 NXR config ipsec isakmp encryption aes128 aes128 NXR config ipsec isakmp group 5 Diffie Hellman DH group 5 NXR config ipsec isakmp itlifetime 86400 ISAKMP SA 86400 NXR config ipsec isakmp itisakmp mode main 1 NXR config ipsec isakmp remote address ip IP any NXR config ipsec isakmp stlocal policy 1 IPsec
46. aes128 NXR B config ipsec isakmp ttgroup 5 Diffie Hellman DH group 5 NXR B config ipsec isakmp ttlifetime 10800 ISAKMP SA 10800 NXR B config ipsec isakmp ttisakmp mode aggressive 1 WAN BI IPv4 IP NXR B config ipsec isakmp ttremote address ip 10 10 10 1 NXR A WAN NXR A WAN IP 10 10 10 1 NXR B config ipsec isakmp ttkeepalive 30 3 periodic restart IKE KeepAlive DPD DPD Dead Peer Detection ISAKMP SA NXR WAN SA SA DPD
47. SD Android 1 2 3 VPN S VPN Wi Fi Direct 4 VPN VPN 57 VPN VPN 153 235 3 L2TP IPsec 3 2 L2TP IPsec CRT 5 VPN NXR L2TP IPsec CRT L2TP IPSec RSA 10 10 10 1 L2TP IPSec nxr L2TP IPsec IPSec CA nxr L2TP I
48. RSA IKE 1 LAN A 192 168 10 0 24 LAN_B 192 168 20 0 24 MRA L TT BENE 10 10 10 254 10 10 20 254 Eth1 Eth0 1 192 168 10 100 i e 10 1 10 10 10 1 10 10 20 1 192 168 20 1 192 168 20 100 RSA IKE 1 NXR ISAKMP ISAKMP RSA IPsec ISAKMP identity 26 235 1 Policy Based IPsec 1 3 RSA NXR A nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR A NXR A config itinterface ethernet 0 NXR A config if itip address 192 168 10 1 24 NXR A config if itexit NXR A config itip route 0 0 0 0 0 10 10 10 254 NXR A config it
49. FutureNet IPsec URL http www centurysys cojp company privacy html NXR IP 1 O O OO A OHT IPsec
50. IP ppp0 S IP s UDP 500 50 ESP IPsec 5 XIPsec gt NXR config ipsec local policy 1 IPsec 1 NXR config ipsec local address ip IPsec IP IP ipsec policy 1 IP 6 XIPsec ISAKMP 1 gt NXR config ipsec isakmp policy 1 ISAKMP 1 133 235 3 L2TP IPsec 3 1 L2TP IPsec NXR config ipsec isakmp description smartphone ISAKMP 1 smartphone
51. NXR IPsec DPD 30 3 keepalive SA IKE B config ipsec isakmp ttlocal policy 1 IPsec IPsec 1 8 XIPsec gt NXR B config ifipsec tunnel policy 1 NXR A IPsec 1 NXR_B config ipsec tunnel description NXR A 1 NXR A NXR _B config ipsec tunnel negotiation mode auto IPsec auto
52. NXR_A config ipsec tunnel set transform esp aes128 esp sha1 hmac IPsec esp aes128 esp sha1 hmac NXR _A config ipsec tunnel set pfs group5 PFS Perfect Forward Secrecy DH PFS DH group5 NXR _A config ipsec tunnel set sa lifetime 3600 IPsec SA 3600 NXR A config ipsec tunnel itset key exchange isakmp 1 ISAKMP ISAKMP 1 NXR _A config ipsec tunnel match address LAN B IPsec IPsec LAN B 8 lt Ethernet1 gt NXR_A config interface ethernet 1 NXR A config if itip address 10 10 10 1 24 Ethernet IP 10 10 10 1 24
53. 2 CLAN ethernet0 gt NXR config itinterface ethernet 0 NXR config if itip address 192 168 10 1 24 Ethernet0 IP 192 168 10 1 24 3 gt NXR config ip route 0 0 0 0 0 ppp 0 PPPoE ppp 4 lt IP gt NXR config jp access list ppp0 in permit any 10 10 10 1 udp any 500 NXR config itip access list pppO in permit any 10 10 10 1 udp any 4500 IP ppp0_in IP 10 10 10 1 UDP 500 IP 10 10 10 1 UDP 4500 IP ppp0 S IP
54. OSPF 2 8 IPsec OSPF Route Based IPsec Policy Based IPsec IPsec OSPF NXR_A IPsec SPI NAT IP DNS LAN B 192 168 20 0 24 ppp0 NXR_B 10 10 20 1 gt ho d 192 168 20 1 192 168 20 100 LAN_A 192 168 10 0 24 192 168 10 100 Etho wi 192 168 10 1 10 10 10 1 LAN C 192 168 30 0 24 em NXRC em ppp0 NO 192 168 30 100 IP 192 168 30 1 OSPF IP OSPF Point to Point NAT IP
55. lt gt pluto XXXX tunnel1 1 initiating Aggressive Mode 1 connection tunneli pluto XXXX tunnel1 1 received Vendor ID payload strongSwan pluto XXXX tunnell 1 received Vendor ID payload XAUTH pluto XXXX tunnel1 1 received Vendor ID payload Dead Peer Detection pluto XXXX tunnel1 1 sent AI2 ISAKMP SA established pluto XXXX tunnell 1 Dead Peer Detection 3706 enabled pluto XXXX tunnell 2 initiating Quick Mode PSK ENCRYPT TUNNEL PFS UP 0x4000000 using isakmp 1 charon 03 KNL interface tunnel1 activated pluto XXXX tunnel 2 sent 012 IPsec SA established ESP gt 0xc5e28ab0 lt 0x899ed286 DPD gt lt gt pluto XXXX packet from 10 10 30 1 500 received Vendor ID payload strongSwan pluto XXXX packet from 10 10 30 1 500 received Vendor ID payload XAUTH pluto XXXX packet from 10 10 30 1 500 received Vendor ID payload Dead Peer Detection pluto XXXX tunnel1 1 10 10 30 1 1 responding to Aggressive Mode from unknown peer 10 10 30 1 pluto XXXX tunnel1 1 10 10 30 1 1 ISAKMP SA established pluto XXXX tunnel1 1 10 10 30 1 1 Dead Peer Detection 3706 enabled pluto XXXX tunnel1 1 10 10 30 1 2 responding to Quick Mode charon 03 KNL interface tunnel1 activated p
56. 30 3 keepalive SA IKE NXR A config ipsec isakmp ttlocal policy 1 IPsec IPsec 1 7 lt IPsec gt NXR_A config ipsec tunnel policy 1 NXR_B IPsec 1 NXR_A config ipsec tunnel description NXR B 1 NXR B NXR A config ipsec tunnel itnegotiation mode auto 13 235 1 Policy Based IPsec 1 1 IP MainMode IPsec auto
57. IP 10 10 10 1 UDP 500 IP 10 10 10 1 UDP 4500 IP ppp0 S IP s NAT UDP 500 UDP 4500 5 lt 1 gt NXR A config tipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 Policy Based IPsec IPsec IPsec ESP IPv4 IPsec IPsec LAN B IPv4 192 168 10 0 24
58. VPN Wi Fi Direct 4 VPN VPN VPN VPN 139 235 3 L2TP IPsec 3 1 L2TP IPsec 5 VPN NXR L2TP IPsec PSK 947 L2TP IPSec PSK AES E LZ 10 10 10 1 L2TP IPSec ID IPSec NXR L2TP IPsec PSK L2TP IPSec PSK 10 10 10 1 WAN fll IP L2TP IPSec ID IPSec ipseckey NXR 6 VPN NXR L2TP IPsec PSK NXR L2TP IPsec PSK VPN L2TP IPse
59. gt L2TP PPP lt L2TP gt I2tp XXXX L2TP Session Established I2tp XXXX Peer IP 10 10 20 10 port 59139 I2tp XXXX Local Tunnel Session ID 51172 15957 I2tp XXXX Remote Tunnel Session ID 18 1354 pppd XXXX L2TPv2 plugin loaded pppd XXXX pppd 2 4 4 started pppd XXXX Using interface ppp102 pppd XXXX Connect ppp102 lt gt pppd XXXX No CHAP secret found for authenticating ios011 pppd XXXX Peer ios011 failed CHAP authentication I2tp XXXX L2TP Session Closed NXR 174 235 L2TP IPsec gt L2TP PPP lt L2TP gt I2tp XXXX L2TP Session Established I2tp XXXX Peer IP 10 10 20 10 port 53244 I2tp XXXX Local Tunnel Session ID 48235 16523 I2tp XXXX Remote Tunnel Session ID 19 1360 pppd XXXX L2TPv2 plugin loaded pppd XXXX pppd 2 4 4 started pppd XXXX Using interface ppp102 pppd XXXX Connect ppp102 lt gt pppd XXXX Peer ios01 failed CHAP authentication I2tp XXXX L2TP Session Closed NXR
60. Pre Shared Key Main 10800 s 2 ESP SHA1 HMAC ESP AES128 Diffie Hellman DH Group5 3600 s ipseckey 9 235 1 Policy Based IPsec 1 1 IP MainMode NXR A nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR A NXR A config itinterface ethernet 0 NXR A config if itip address 192 168 10 1 24 NXR A config if itexit NXR A config itip route 0 0 0 0 0 10 10 10 254 NXR A config ifipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 NXR A config tipsec local policy 1 NXR A config ipsec local ftaddress ip NXR A config ipsec local itexit NXR A config fipsec isakmp policy 1 NXR A config ipsec isakmp ttdescription NXR B NXR _A config ipsec isakmp authentication pre share ipseckey NXR A config ipsec isakmp tthash sha1 NXR _A config ipsec isakmp encryption aes128 NXR A config ipsec isakmp tt
61. IKE 1 NXR X 509 FutureNet RA CA X 509 IKE 1 LAN A 192 168 10 0 24 LAN_B 192 168 20 0 24 T TT MEME 10 10 10 254 10 10 20 254 Eth1 Eth0 192 168 10 100 we 10 1 10 10 10 1 10 10 20 1 192 168 20 1 192 168 20 100 X 509 1 X 509 NXR FutureNet RA Y CA FTP SSH FTP 192 168 10 10
62. IP ppp0 in in ppp0 NXR IP IPsec 1 IPsec 11 Ethernet1 gt NXR A config itinterface ethernet 1 NXR A config if no ip address NXR A config if ifpppoe client ppp 0 Etherneti PPPoE ppp0 12 lt DNS gt NXR _A config dns NXR A dns config itservice enable DNS NXR B 1 gt nxr120 config hostname NXR B NXR_B 2 Ethernet0 gt NXR B config stinterface ethernet 0 NXR B config if tip address 192 168 20 1 24 Ethernet0 IP 192 168 20 1 24 71 235 1 Policy Based IPsec
63. OSPF NXR B config ipsec isakmp ttlifetime 10800 B config ipsec isakmp ttisakmp mode main NXR B config ipsec isakmp ttremote address ip 10 10 10 1 NXR B config ipsec isakmp ttkeepalive 30 3 periodic restart NXR B config ipsec isakmp ttlocal policy 1 NXR B config ipsec isakmp ttexit NXR B config itipsec tunnel policy 1 NXR B config ipsec tunnel itdescription NXR A NXR B config ipsec tunnel itnegotiation mode auto NXR B config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR _B config ipsec tunnel set pfs group5 NXR _B config ipsec tunnel set sa lifetime 3600 NXR _B config ipsec tunnel set key exchange isakmp 1 NXR_B config ipsec tunnel match address LAN A NXR _B config ipsec tunnel exit NXR B config finterface tunnel 1 NXR B config tunnel tip address 192 168 20 1 32 NXR B config tunnel tttunnel mode ipsec ipv4 NXR B config tunnel tttunnel protection ipsec policy 1 NXR B config tunnel ftip tcp adjust mss auto NXR _B config tunnel exit NXR B config itinterface ppp 0 address 10 10 20 1 32 NXR B config ppp ttip masquerade NXR B config ppp ttip access group in pppO in NXR B config ppp ttip spi filter NXR B config ppp ttip tcp adjust mss auto NXR B config ppp ttno ip redirects NXR B config ppp ttppp authentication auto NXR B config ppp ttppp username test2 centurysys password test2pass NXR B config ppp ttipsec policy
64. 4 NXR certificate name nxr 8 lt IPsec ISAKMP gt NXR config ipsec isakmp authentication rsa sig X 509 rsa sig NXR config ipsec isakmp remote identity dn C JP CN smartphone E smartphone example com identity 151 235 3 L2TP IPsec 3 2 L2TP IPsec CRT identity DN Distinguished Name DN subject X 509 identity 152 235 3 L2TP IPsec 3 2 L2TP IPsec CRT Android Android Android
65. gt Iuto XXXX tunnel1 1 initiating Aggressive Mode 1 connection tunnell pluto XXXX tunnell 1 max number of retransmissions 20 reached STATE AGGR I1 pluto XXXX tunnel1 1 starting keying attempt 2 of an unlimited number pluto XXXX tunnell 2 initiating Aggressive Mode 2 to replace 1 connection tunneli WAN IPsec UDP500 IPsec IPsec gt lt gt pluto XXXX packet from 10 10 20 1 500 initial Main Mode message received on 10 10 10 1 500 but no connection has been authorized with policy PSK s 1 IP IPsec gt lt
66. 165 235 3 L2TP IPsec 3 3 L2TP IPsec NAT Android 3 1 L2TP IPsec Android iOS 3 1 L2TP IPsec LiOS 166 235 167 235 IPsec IPsec e IPsec show ipsec status brief lt gt nxr120 show ipsec status brief TunnelName Status tunnel1 up tunnel2 down IPsec SA 1Psec established up down IPsec SA show ipsec status show ipsec status tunnel lt gt tunel
67. ID nxrb fadn 69 235 1 Policy Based IPsec 1 6 IPsec NAT NXR A config ipsec isakmp ttkeepalive 30 3 periodic clear IKE KeepAlive DPD DPD Dead Peer Detection ISAKMP SA NXR WAN SA SA DPD NXR IPsec DPD 30 3 keepalive SA IKE NXR A config ipsec isakmp ttlocal policy 1 IPsec IPsec 1 9 XIPsec gt NXR_A config ipsec tunnel policy 1 NXR B IPsec
68. NXR A config if ipsec policy 1 IPsec IPsec IPsec 1 NXR B 1 lt gt nxr120 config hostname B 14 235 1 Policy Based IPsec 1 1 IP MainMode 2 Ethernet0 gt NXR_B config interface ethernet 0 B config if itip address 192 168 20 1 24 Ethernet0 IP 192 168 20 1 24 3 gt NXR_B config ip route 0 0 0 0 0 10 10 20 254 IP 4 lt IPsec gt B config itipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 Policy Based IPsec IPsec IPsec ESP
69. group 5 NXR A config ipsec isakmp ttlifetime 10800 ISAKMP SA 10800 NXR A config ipsec isakmp ttisakmp mode main 1 IPsec WAN IP NXR A config ipsec isakmp ttremote address ip 10 10 20 1 NXR WAN fll IP NXR WAN 10 10 20 1 NXR A config ipsec isakmp ttkeepalive 30 3 periodic restart IKE KeepAlive DPD DPD Dead Peer Detection ISAKMP SA NXR WAN SA SA DPD NXR IPsec DPD
70. A NAT O SYSTEM NAT X X O OSPF RIPv1 v2 DF bit 1 TR X ER d O x IPv6 any X O O ECMP X Equal Cost Multi Path QoS x 6 235 NXR IPsec NXR IPsec NXR IPsec IPsec IPsec ISAKMP IPsec Tunnel IPsec IPsec IPsec IPsec IPsec
71. IPsec 1 ipsec policy 1 S IPsec 105 235 2 Route Based IPsec 2 5 PPPoE IPsec NXR A config tunnel ttip tcp adjust mss auto TCP MSS TCP MSS TCP MSS TCP 4 lt 2 gt NXR A config itinterface tunnel 2 2 NXR_A config tunnel tunnel mode ipsec ipv4 Route Based IPsec ipsec ipv4 NXR_A config tunnel tunnel protection ipsec policy 2 IPsec IPsec 2
72. NXR A config ipsec isakmp ttkeepalive 30 3 periodic restart IKE KeepAlive DPD DPD Dead Peer Detection ISAKMP SA NXR WAN SA SA 52 235 1 Policy Based IPsec 1 5 PPPoE IPsec DPD NXR IPsec DPD 30 3 keepalive SA IKE NXR_A config ipsec isakmp local policy 1 IPsec IPsec 1 8 lt IPsec 1 gt NXR A config ifipsec tunnel policy 1 NXR B IPsec 1 NXR_A
73. EK NXR L2TP IPsec PSK 10 10 10 1 NXR WAN IP ios01 PPP RSA SecurID ios01pass PPP ipseckey 144 235 3 L2TP IPsec 3 1 L2TP IPsec 6 VPN NXR L2TP IPsec PSK VPN VPN VPN mil SoftBank 14 10 L2TP IPsec PSK test VPN gt 7 VPN ll SoftBank VPN 14 10 EK 0 17 gt L2TP IPsec PSK test VPN
74. IPsec IPsec LANB IP 192 168 10 0 24 IP 192 168 20 0 24 5 X 509 gt NXR A config ipsec x509 enable X 509 6 lt CA gt NXR A config tipsec x509 ca certificate nxr ftp 192 168 10 10 nxrCA pem FTP 192 168 10 10 CA nxrCA pem 7 lt CRL gt A config tipsec x509 crl nxr ftp 192 168 10 10 nxrCRL pem FTP 192 168 10 10 CRL nxrCRL pem 8 NXR A gt NXR A config tipsec x509 certificate nxra ftp 192 168 10 10 nxraCert pem FTP 192 168 10 10 NXR A nxraCert pem 9 NXR A gt NXR A config tipsec x509 private key nxra key ftp 192 168 10 10 nxraKey pem FTP 192 168 10 10 NXR A nxraKey pem 39 235 1 Policy Based IPsec 1 4 X 509
75. NXR A WAN IP 10 10 20 1 NXR B config ipsec isakmp ttkeepalive 30 3 periodic restart IKE KeepAlive DPD DPD Dead Peer Detection ISAKMP SA NXR WAN SA SA DPD NXR IPsec DPD 30 3 keepalive SA IKE B config ipsec isakmp ttlocal policy 1 IPsec IPsec 1 8 lt IPsec 1 gt NXR B config ifipsec tunnel policy 1 NXR A IPsec 1 NXR_B config ipse
76. NXR A config ipsec isakmp tthash sha1 shal NXR_A config ipsec isakmp encryption aes128 aes128 NXR A config ipsec isakmp ttgroup 5 Diffie Hellman DH group 5 NXR A config ipsec isakmp ttlifetime 10800 ISAKMP SA 10800 NXR A config ipsec isakmp ttisakmp mode aggressive 1 NXR_B WAN fll IP IP NXR A config ipsec isakmp ttremote address ip any NXR B WAN IP NXR B WAN IP ZS SEL NXR A config ipsec isakmp ttremote identity fqdn nxrb identity NXR_B WAN fll IP IP 7
77. ipsec policy 1 IP NXR B config ipsec local itself identity fqdn nxrb identity WAN fl IP IP ID fadn 7 lt 1 ISAKMP gt NXR B config tipsec isakmp policy 1 NXR A IPsec ISAKMP 1 NXR_B config ipsec isakmp description NXR_A ISAKMP 1 NXR_A NXR _B config ipsec isakmp authentication pre share ipseckey LT pre share ipseckey NXR A NXR B config ipsec isakmp tthash sha1 shal 72 235 1 Policy Based IPsec 1 6 IPsec NAT NXR_B config ipsec isakmp encryption aes128
78. L2TP IPsec NXR 1 gt nxr120 config hostname NXR NXR 2 CLAN ethernet0 gt NXR config itinterface ethernet 0 NXR config if itip address 192 168 10 1 24 Ethernet0 IP 192 168 10 1 24 3 gt NXR config ip route 0 0 0 0 0 ppp 0 PPPoE ppp 4 lt IP gt NXR config itip access list pppO in permit any 10 10 10 1 udp 500 500 NXR config jp access list pppO in permit any 10 10 10 1 50 IP ppp0_in IP 10 10 10 1 UDP 500 UDP 500 IP 10 10 10 1 50 ESP
79. tunnel 1 2 lt 1 gt NXR O config ipsec access list LAN A ip 192 168 30 0 24 192 168 10 0 24 Policy Based IPsec IPsec IPsec ESP Route Based IPsec IPsec IKE 2 ID sr Route Based IPsec ESP IPsec lt IPsec IP 192 168 30 0 24 IP 192 168 10 0 24 107 235 2 Route Based IPsec 2 5 PPPoE IPsec 3 gt NXR C config itinterface tunnel 1 1 NXR_O config tunnel tunnel mode ipsec ipv4 Route Based IPsec
80. 56 235 1 Policy Based IPsec 1 5 PPPoE IPsec 4 lt IP gt NXR_B config ip access list ppp0_in permit 10 10 10 1 10 10 20 1 udp 500 500 NXR_B config ip access list pppO in permit 10 10 10 1 10 10 20 1 50 IP ppp0_in IP 10 10 10 1 IP 10 10 20 1 UDP 500 UDP 500 IP 10 10 10 1 IP 10 10 20 1 50 ESP IP ppp0 IP s UDP 500 50 ESP IPsec 5 lt IPsec
81. 8 VPN VPN L VPN L2TP IPsec VPN 155 235 3 L2TP IPsec 3 2 L2TP IPsec CRT iOS iOS iPhone VPN iPhone iPhone iOS lt 156 235 3 L2TP IPsec 3 3 L2TP IPsec NAT 3 3 L2TP IPsec Android iOS NA
82. CA NXR FTP FTP 192 168 10 10 192 168 10 10 CA nxrCA pem CRL nxrCRL pem NXR nxrCert pem NXR nxrKey pem pem DER PEM pem DER der 147 235 3 L2TP IPsec 3 2 L2TP IPsec CRT cer DES Android SD iPhone iPhone
83. IPsec LAN B IP 192 168 10 0 24 IP 192 168 20 0 24 3 lt gt NXR A config stinterface tunnel 1 1 NXR_A config tunnel tunnel mode ipsec ipv4 Route Based IPsec ipsec ipv4 NXR_A config tunnel tunnel protection ipsec policy 1 IPsec IPsec 1 ipsec policy 1 s IPsec NXR_A config tunnel ip tcp adjust mss auto TCP MSS TCP MSS TCP MSS TCP
84. IPsec 1 ipsec policy 1 S IPsec NXR A config tunnel ttip tcp adjust mss auto TCP MSS TCP MSS TCP MSS TCP 112 235 2 Route Based IPsec 2 6 IPsec NAT NXR B 1 6 IPsec NAT NXR_B 1 gt NXR_B config ip route 192 168 10 0 24 tunnel 1 IPsec IP IPsec IPsec
85. ISAKMP 1 NXR config ipsec tunnel tmatch protocol 12tp smartphone L2TPv2 over IPsec IPsec protocol mode transport negotiation mode responder IPsec ID IPv4 host host UDP UDP 1701 any 8 lt PPP gt NXR config ppp account username android01 password android01pass NXR config ppp account username ios01 password ios01pass PPP L2TPv2 LNS ID NXR config ppp account username test1 centurysys password test1pass ppp0
86. RIPv1 v2 0SPF BGP IPsec NAT IP SPI DNS 1 5 PPPoE IPsec 100 235 2 Route Based IPsec 2 5 PPPoE IPsec NXR A nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR A NXR A config itinterface ethernet 0 NXR A config if itip address 192 168 10 1 24 NXR A config if itexit NXR A config itip route 192 168 20 0 24 tunnel 1 NXR A config fip route 192 168 30 0 24 tunnel 2 NXR A config itip route 0 0 0 0 0 ppp 0 NXR A config itip access list pppO in permit any 10 10 10 1 udp 500 500 NXR A config itip access list pppO in permit 10 10 10 1 50 NXR A config ifipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 NXR A config tipsec access list LAN C ip 192 168 10 0 24 192 168 30 0 24 NXR A config tipsec local policy 1 NXR A config ipsec local ftaddress ip NXR A config ipsec local itexit NXR A config fipsec isakmp policy 1 NXR A config ipsec isakmp ttdescr
87. gt NXR_A config ipsec tunnel policy 1 NXR B IPsec 1 22 235 1 Policy Based IPsec 1 2 IP AggressiveMode NXR_A config ipsec tunnel description NXR B 1 NXR B NXR _A config ipsec tunnel negotiation mode responder IPsec responder Rekey NXR_A config ipsec tunnel set transform esp aes128 esp sha1 hmac IPsec esp aes128 esp sha1 hmac NXR _A confi
88. NXR A config ipsec tunnel itset key exchange isakmp 1 ISAKMP ISAKMP 1 NXR A config ipsec tunnel itmatch address LAN B IPsec IPsec LAN B 9 lt IPsec ISAKMP 2 gt 53 235 1 Policy Based IPsec 1 5 PPPoE IPsec NXR A config ifipsec isakmp policy 2 NXR C IPsec ISAKMP 2 NXR_A config ipsec isakmp description NXR C ISAKMP 2 NXR C NXR_A config ipsec isakmp authentication pre share ipseckey2 LT pre share ipseckey2 NXR_C NXR A config ipsec isakmp tthash sha1 shal NXR_A config ipsec isakmp encryption aes128
89. NXR_C config router router id 172 31 0 3 OSPF ID NXR C config router itnetwork 192 168 30 0 24 area 0 OSPF 192 168 30 0 24 0 OSPF NXR_C config router passive interface ethernet 0 Ethernet0 Ethernet0 LAN OSPF Ethernet0 OSPF 2 lt 1 gt NXR O config ipsec access list LAN A ip 192 168 30 0 24 192 168 10 0 24 Policy Based IPsec IPsec IPsec ESP Route Based IPsec IPsec IKE 2 ID s Route Based IPsec ESP IPsec
90. C JP CN nxra E nxra example com X 509 identity 12 lt IPsec ISAKMP gt NXR A config itipsec isakmp policy 1 NXR B IPsec ISAKMP 1 NXR_A config ipsec isakmp description NXR B ISAKMP 1 NXR B NXR A config ipsec isakmp ttauthentication rsa sig X 509 rsa sig NXR A config ipsec isakmp tthash sha1 shal NXR_A config ipsec isakmp encryption aes128 aes128 NXR A config ipsec isakmp ttgroup 5 40 235 1 Policy Based IPsec 1 4 X 509 Diffie Hellman DH group 5 NXR A config ipsec isakmp ttlifetime 10800 ISAKMP SA 10800
91. IPsec 1 ipsec policy 1 S IPsec NXR B config tunnel ttip tcp adjust mss auto TCP MSS TCP MSS TCP MSS TCP 92 235 2 Route Based IPsec 2 3 RSA LAN A LAN B IP 192 168 10 100 192 168 20 100 255 255 255 0 255 255 255 0 192 168 10 1 192 168 20 1 93 235 2 Route Based IPsec 2 4 X 509 22 JLE Bit S EIE 2 4 X 509 IKE 1 NXR X 509 FutureNe
92. IPsec LANA NXR_A 7 lt IPsec gt 8 XEthernetl gt NXR_B config interface ethernet 1 NXR B config if itip address 10 10 20 1 24 Ethernet IP 10 10 20 1 24 NXR B config if itipsec policy 1 IPsec IPsec IPsec 1 LAN A LAN B IP 192 168 10 100 192 168 20 100 255 255 255 0 255 255 255 0 192 168 10 1 192 168 20 1 16 235 1 Policy Based IPsec 1 2 AggressiveMode 1 2 IP AggressiveMode WAN IP IP
93. ppp0 NXR IP IPsec 1 IPsec 59 235 1 Policy Based IPsec 1 5 PPPoE IPsec 10 lt Ethernet1 gt NXR_B config interface ethernet 1 NXR _B config if no ip address B config if itpppoe client ppp 0 Ethernet PPPoE ppp0 11 lt DNS gt NXR B config tdns NXR_B dns config service enable DNS NXR C 1 lt gt nxr120 config hostname NXR C 2 Ethernet0 gt NXR C config itinterface ethernet 0 NXR C config if itip address 192 168 30 1 24 Ethernet0 IP 192 168 30 1 24 3 gt NX
94. IPsec 1 8 lt IPsec 1 gt NXR config ipsec tunnel policy 1 NXR B IPsec 1 NXR config ipsec tunnel description smartphone 1 smartphone NXR config ipsec tunnel set transform esp aes128 esp sha1 hmac IPsec esp aes128 esp sha1 hmac 161 235 3 L2TP IPsec 3 3 L2TP IPsec NAT NXR config ipsec tunnel no set pfs PFS Perfect Forward Secrecy DH PFS NXR config ipsec tunnel set sa lifetime 28800 IPsec SA 28800 NXR config ipsec tunnel set key exchange isakmp 1 ISAKMP
95. NXR config if vt itip address 172 16 0 1 32 virtua template IP 172 16 0 1 32 NXR config if vt itip tcp adjust mss auto TCP MSS TCP MSS TCP MSS TCP NXR config if vt no ip redirects ICMP NXR config if vt no ip rebound IP NXR config if vt peer ip pool smartphoneip IP IP smartphoneip NXR config if vt peer ip proxy arp ARP 12 lt L2TPv2 gt NXR config itl2tp udp source port 1701 L2TPv2 1701 NXR config itl2tp 1 L2TP1
96. local enable 1 1 system led ext 0 signal level mobile 0 ib route 0 0 0 0 0 10 10 10 254 ip route 192 168 20 0 24 tunnel 1 1 ipsec access list LAN_B ip 192 168 10 0 24 192 168 20 0 24 1 1 end NXR B Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname NXR_B telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 1 ipsec generate rsa sig key 1024 1 ipsec local policy 1 address ip self identity fqdn nxrb 1 ipsec isakmp policy 1 description NXR_A authentication rsa sig 0sAQNe9Ghb4CNEaJully67aSxECLJDHhvndH1opuMs6P8yGiTNIcGeSO Q8XEy8iYTst2bv022XUxSt37RhOR5IRiY1i83TXkQZbhnJDCNJv rtX aro745MbJ9auXT1L5tda4C54 S7SELboAtU28sD3si0OwlzLWtE7yRUqLP4ZiiNMw hash sha1 encryption aes128 group 5 isakmp mode main remote address ip 10 10 10 1 remote identity fqdn nxra local policy 1 1 ipsec tunnel policy 1 description NXR_A set transform esp aes128 esp sha1 hmac set pfs group5 203 235 set key exchange isakmp 1 match address LAN A 1 interface tunnel 1 no ip address ip tcp adjust mss auto tunnel mode ipsec ipv4 tunnel protection ipsec policy 1 1 interface ethernet 0 ip address 192 168 20 1 24 1 interface ethernet 1 ip address 10 10 20 1 24 ipsec policy 1 dns service enable 1 syslog local enable 1 1 system led ext 0 signal level mobile 0 ip route 0 0 0 0 0
97. IP IPsec IPsec LAN_B IP 192 168 10 0 24 IP 192 168 20 0 24 5 XIPsec gt NXR A config itipsec local policy 1 IPsec 1 NXR_A config ipsec local address ip IPsec IP IP ipsec policy 1 IP 6 XIPsec ISAKMP gt NXR_A config ipsec isakmp policy 1 NXR_B IPsec ISAKMP 1 NXR_A config ipsec isakmp description NXR B ISAKMP 1 NXR B NXR_A config ipsec isakmp authentication pre share ipseckey pre share ipseckey
98. IPsec ESP Route Based IPsec IPsec IKE 2 ID Les Route Based IPsec ESP IPsec lt IPsec LAN_A IP 192 168 20 0 24 IP 106 235 2 Route Based IPsec 2 5 PPPoE IPsec 192 168 10 0 24 3 gt NXR B config itinterface tunnel 1 1 NXR_B config tunnel tunnel mode ipsec ipv4 Route Based IPsec ipsec ipv4 NXR _B config tunnel tunnel protection ipsec policy 1 IPsec IPsec 1
99. SPI DNS 2 5 PPPoE IPsec 119 235 2 Route Based IPsec 2 8 IPsec OSPF NXR A nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR A NXR A config tinterface ethernet 0 NXR A config if itip address 192 168 10 1 24 NXR A config if itexit NXR A config itrouter ospf NXR A config router itrouter id 172 31 0 1 NXR A config router ttnetwork 192 168 10 0 24 area 0 NXR _A config router passive interface ethernet 0 NXR_A config router exit NXR A config itip route 0 0 0 0 0 ppp 0 NXR A config itip access list pppO in permit any 10 10 10 1 udp 500 500 NXR A config itip access list pppO in permit 10 10 10 1 50 NXR A config itipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 NXR A config itipsec access list LAN C ip 192 168 10 0 24 192 168 30 0 24 NXR A config itipsec local policy 1 NXR A config ipsec local ftaddress ip NXR A config ipsec local itexit NXR A config fipsec isakmp policy 1 NXR A config ipsec isakmp ttdescription B NXR A config ipsec isakmp ttauthentication pre share ipseckey1 NXR A config ipsec isakmp tthash sha1 NXR _A co
100. IPsec 2 2 IP AggressiveMode 115 235 2 Route Based IPsec 2 7 IPsec NXR A nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR A NXR A config itinterface ethernet 0 NXR A config if itip address 192 168 10 1 24 NXR A config if itexit NXR A config itip route 192 168 20 0 24 tunnel 1 NXR A config itip route 0 0 0 0 0 10 10 10 254 NXR A config fipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 NXR A config tipsec local policy 1 NXR A config ipsec local ftaddress ip NXR A config ipsec local itexit NXR A config fipsec isakmp policy 1 NXR A config ipsec isakmp ttdescription NXR B NXR A config ipsec isakmp ttauthentication pre share ipseckey NXR A config ipsec isakmp tthash sha1 NXR _A config ipsec isakmp encryption aes128 NXR A config ipsec isakmp ttgroup 5 NXR A config ipsec isakmp ttlifetime 10800 NXR A config ipsec isakmp ttisakmp mode aggressive NXR A config ipsec isakmp ttremote address ip any NXR A config ipsec isakmp ttremote identity fqdn nxrb NXR A config ipsec isakmp ttkeepalive 30 3 periodic clear NXR A config ipsec isakm
101. gt B config tipsec access list ip 192 168 20 0 24 192 168 10 0 24 Policy Based IPsec IPsec IPsec ESP IP IPsec IPsec LAN_A IP 192 168 20 0 24 IP 192 168 10 0 24 6 XIPsec gt B config itipsec local policy 1 IPsec 1 NXR_B config ipsec local address ip IPsec IP IP ipsec policy 1 IP 7 XIPsec ISAKMP 1 gt NXR_B config ipsec isakmp policy 1 NXR A IPsec ISAKMP 1 NXR_B config ipsec isakmp description NXR A ISAKMP 1 NXRA NXR_B conf
102. 2 lt CA gt NXR config ipsec x509 ca certificate nxrCA ftp 192 168 10 10 nxrCA pem FTP 192 168 10 10 CA 3 lt CRL gt NXR config ipsec x509 crl nxrCA ftp 192 168 10 10 nxrCRL pem FTP 192 168 10 10 CRL nxrCRL pem 4 NXR gt NXR config ipsec x509 certificate nxr ftp 192 168 10 10 nxrCert pem FTP 192 168 10 10 NXR nxrCert pem 5 NXR gt NXR config itipsec x509 private key nxr key ftp 192 168 10 10 nxrKey pem FTP 192 168 10 10 NXR nxrKey pem 6 lt NXR gt NXR config ipsec x509 private key nxr password nxrpass NXR nxrpass hidden 7 lt 1 gt NXR config ipsec local x509 certificate nxr X 509
103. IP LAN A 192 168 10 0 24 LAN_B 192 168 20 0 24 MRA TT Eth0 10 10 10 254 10 10 20 254 Eth1 Eth0 192 168 10 100 we 168 10 1 10 10 10 1 10 10 20 1 192 168 20 1 192 168 20 100 Route Based IPsec Policy Based IPsec RIPv1 v2 0SPF BGP 1 IP MainMode 76 235 2 Route Based IPsec 2 1 IP MainMode NXR A nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR A NXR A config itinterface ethernet 0 NXR A config if itip address 192 168 10 1 24 NXR A config if itexit NXR A config itip route 192 168 20 0 24 tunnel 1 NXR A config itip route 0 0 0 0 0 10 10 10 254 NXR A config fipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 NXR A config tipsec local policy 1 NXR A config ipsec local ftaddress ip NXR A config ipsec local itexit NXR A config fipsec isakmp policy 1 NXR A config ipsec
104. IP ipsec policy 1 IP B config ipsec locaDtself identity fqdn nxrb identity WAN IP IP NXR IP ID ID nxrb 5 XIPsec ISAKMP gt B config itipsec isakmp policy 1 NXR_B config ipsec isakmp description NXR A B config ipsec isakmp tauthentication pre share ipseckey B config ipsec isakmp amp thash sha1 B config ipsec isakmp tencryption aes128 NXR B config ipsec isakmp ttgroup 5 NXR B config ipsec isakmp ttlifetime 10800 B config ipsec isakmp ftisakmp mode aggressive B config ipsec isakmp itremote address ip 10 10 10 1 B config ipsec isakmp itkeepalive 30 3 periodic restart B config ipsec isakmp ttlocal policy 1 NXR A IPsec ISAKMP 1 24 235 1 Policy Based IPsec 1 2 IP AggressiveMode
105. NXR A Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname _ telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 ipsec nat traversal enable 1 ipsec local policy 1 address ip 1 ipsec isakmp policy description authentication pre share ipseckey keepalive 30 3 periodic clear hash shal encryption aes128 group 5 isakmp mode aggressive remote address ip any remote identity fqdn nxrb local policy 1 1 I ipsec tunnel policy 1 description NXR_B negotiation mode responder set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN_B 1 I interface ppp 0 ip address 10 10 10 1 32 no ip redirects ip tcp adjust mss auto ip access group in pppO in ip masquerade ip spi filter ppp username test1 centurysys password testlpass ipsec policy 1 1 interface ethernet 0 ip address 192 168 10 1 24 1 interface ethernet 1 no ip address pppoe client ppp 0 1 dns 193 235 show config service enable 1 syslog local enable 1 1 I system led ext 0 signal level mobile 0 iB route 0 0 0 0 0 ppp 0 1 ip access list pppO in permit any 10 10 10 1 any 500 ip access list pppO in permit any 10 10 10 1 udp any 4500 1 access list LAN B ip 192 168 10 0 24 192 168 20 0 24 1 1 1 end NXR B C
106. OSPF 2 lt 1 gt NXR_B config ipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 Policy Based IPsec IPsec IPsec ESP Route Based IPsec IPsec IKE 2 ID s Route Based IPsec ESP IPsec lt IPsec LAN IP 192 168 20 0 24 IP 192 168 10 0 24 3 gt NXR B config itinterface tunnel 1 1 NXR _B config tunnel ip address 192 168 20 1 32 1 IP 192 168 20 1 32 OSPF
107. 1 5 PPPoE IPsec NXR_A 1 gt NXR _A config ip route 192 168 20 0 24 tunnel 1 NXR A config ip route 192 168 30 0 24 tunnel 2 IPsec IP IPsec IPsec LAN B NXR_B IPsec 1 tunnel 1 LAN C NXR_C IPsec 2 tunnel 2 2 XIPsec gt NXR A config itipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 NXR A config tipsec access list LAN ip 192 168 10 0 24 192 168 30 0 24 Policy Based IPsec IPsec
108. DPD NXR IPsec DPD 30 3 keepalive SA IKE NXR A config ipsec isakmp ttlocal policy 1 IPsec IPsec 1 13 lt IPsec gt NXR A config ifipsec tunnel policy 1 NXR B IPsec 1 NXR_A config ipsec tunnel description NXR B 1 NXR A config ipsec tunnel itnegotiation mode auto IPsec 41 235 1 Policy Based IPsec 1 4 X 509
109. IP 192 168 10 0 24 IP 192 168 20 0 24 5 RSA Signature Key gt NXR A config itipsec generate rsa sig key 1024 IPsec RSA Signature Key 1024bit 6 lt RSA gt NXR_A show ipsec rsa pub key RSA public key 0sAQNe9Ghb4CNEaJully67aSxECLJDHhvndH1opuMs6P8yGiTNIcGeSOQ8XEy8iYTst2bv022XUxSt37 RhOR5IRiY1i83TXkQZbhnJDCNJv rtX aro745MbJ9auXT1L5tda4C54S7SELboAtU28sD3si0OwlzLW tE7yRUqLP4ZiiNMw RSA NXR IPsec ISAKMP 7 lt 1 gt NXR A config itipsec local policy 1 IPsec 1 NXR_A config ipsec local address ip IPsec IP IP ipsec policy 1 IP 29 235 1 Policy Based IPsec 1 3 RSA NXR A config ipsec local itself identity fqdn nxra
110. ISAKMP ISAKMP 2 NXR A config ipsec tunnel ttmatch address LAN IPsec IPsec LAN C 55 235 1 Policy Based IPsec 1 5 PPPoE IPsec 11 lt ppp0 gt NXR A config itinterface ppp 0 NXR_A config ppp ip address 10 10 10 1 32 NXR_A config ppp ip masquerade NXR A config ppp ftip access group in pppO in NXR A config ppp ttip spi filter NXR A config ppp ttip tcp adjust mss auto NXR A config ppp ttno ip redirects NXR A config ppp tppp authentication auto NXR A config ppp tppp username test1 centurysys password test1pass NXR A config ppp fipsec policy 1 ppp0 IP IP 10 10 10 1 32 IP NAT IP ppp0 in in ppp0
111. Route based IPsec Policy Based IPsec Route based IPsec Policy Based IPsec NXR Policy Based IPsec IPsec ESP IPsec ESP NAT NAT Route Based IPsec Policy Based IPsec IPsec ESP IPsec ESP NAT NAT Route Based IPsec IPsec ESP
112. gt NXR C config itipsec access list LAN_A ip 192 168 30 0 24 192 168 10 0 24 Policy Based IPsec IPsec IPsec ESP IP IPsec 60 235 1 Policy Based IPsec 1 5 PPPoE IPsec IPsec LANA IP 192 168 30 0 24 IP 192 168 10 0 24 6 XIPsec gt NXR C config itipsec local policy 1 IPsec 1 NXR_C config ipsec local address ip IPsec IP IP ipsec policy 1 IP NXR_C config ipsec local self identity fqdn nxrc identity WAN IP NXR_A IP ID
113. ipsec policy 2 S IPsec NXR A config tunnel ttip tcp adjust mss auto TCP MSS NXR B 1 5 PPPoE IPsec NXR_B 1 gt NXR_B config ip route 192 168 10 0 24 tunnel 1 IPsec IP IPsec IPsec LANA NXR A IPsec 1 tunnel 1 2 lt IPsec gt NXR_B config ipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 Policy Based IPsec IPsec
114. IPsec IPsec LAN A NXR A IPsec 1 tunnel 1 2 lt IPsec gt NXR_B config ipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 Policy Based IPsec IPsec IPsec ESP Route Based IPsec IPsec IKE 2 ID sr Route Based IPsec ESP IPsec lt IPsec LAN_A IP 192 168 20 0 24 IP 192 168 10 0 24 3 lt gt NXR B config itinterface tunnel 1 1
115. ISAKMP 1 NXR_A LT pre share ipseckey NXR NXR WAN IP 10 10 10 1 NXR_A 6 IPsec ISAKMP gt 6 XIPsec gt NXR B config itipsec tunnel policy 1 NXR B config ipsec tunneD description NXR A NXR_B config ipsec tunnel negotiation mode auto B config ipsec tunneDset transform esp aes128 esp sha1 hmac B config ipsec tunneD set pfs group5 NXR _B config ipsec tunnel set sa lifetime 3600 NXR B config ipsec tunnel itset key exchange isakmp 1 NXR_B config ipsec tunnel match address LAN A NXR A IPsec 1 1 NXR_A auto
116. LAN fll IP Ping LAN IP Ping B ppp1 NTP 2 OO OO AB IPsec LAN IP Ping LAN IP Ping A 10 B 5 232 235
117. identity RSA identity ID nxra fqdn 8 XIPsec ISAKMP gt NXR_A config ipsec isakmp policy 1 NXR_B IPsec ISAKMP 1 NXR_A config ipsec isakmp description NXR B ISAKMP 1 NXR B NXR _A config ipsec isakmp authentication rsa sig 0sAQOx8kE6uhZTvWMikunsy3uK5 IkTXsCjQpgo4B X64UAVeuxFQZ3KG3bzyjmyCbpkt0xEiU v1kF4AOAOXoDfgND KAdEky YWqQYzMuu uu2uy K6E9JA24NACufuqMqggGSXc51fJ 6V5Qi9YtVd7TWBkZQSZJJADBHs YyYD9Q rsa sig NXR_B NXR NXR A config ipsec isakmp hash sha1 shal NXR_A config ipsec isakmp encryption aes128 aes128 NXR_A config ipsec isakmp group 5 Diffie Hellman DH
118. NXR IP IPsec 1 IPsec 12 Ethernet1 gt NXR_A config interface ethernet 1 NXR A config iftno ip address NXR _A config if pppoe client ppp 0 Ethernet PPPoE ppp0 13 lt DNS gt NXR A config tdns NXR A dns config itservice enable DNS B 1 lt gt nxr120 config hostname NXR B NXR_B 2 Ethernet0 gt NXR B config tinterface ethernet 0 NXR_B config if ip address 192 168 20 1 24 Ethernet0 IP 192 168 20 1 24 3 gt NXR_B config ip route 0 0 0 0 0 ppp 0 ppp
119. NXR_A config tunnel tunnel protection ipsec policy 1 IPsec IPsec 1 ipsec policy 1 S IPsec NXR A config tunnel ttip tcp adjust mss auto TCP MSS TCP MSS TCP MSS TCP 97 235 2 Route Based IPsec 2 4 X 509 NXR B 1 4 X 509 NXR B 1 gt NXR_B config ip route 192 168 10 0 24 tunnel 1 IPsec IP
120. ipsec ipv4 NXR_O config tunnel tunnel protection ipsec policy 1 IPsec IPsec 1 ipsec policy 1 IPsec NXR_O config tunnel ip tcp adjust mss auto TCP MSS TCP MSS TCP MSS TCP LAN A LAN B LAN C IP 192 168 10 100 192 168 20 100 192 168 30 100 255 255 255 0 255 255 255 0 255 255 255 0 192 168 10 1 192 168 20 1 192 168 30 1 108 235 2 Route Based IPsec 2 6 IPsec NAT 2 6 IPsec NAT NXR IP
121. nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR B NXR B config itinterface ethernet 0 NXR B config if itip address 192 168 20 1 24 NXR B config if itexit NXR B config itip route 192 168 10 0 24 tunnel 1 NXR B config itip route 0 0 0 0 0 10 10 20 254 NXR B config itipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 NXR B config tipsec local policy 1 NXR B config ipsec local ftaddress ip NXR B config ipsec local itexit NXR B config fipsec isakmp policy 1 NXR B config ipsec isakmp ttdescription NXR A _B config ipsec isakmp authentication pre share ipseckey NXR B config ipsec isakmp tthash sha1 NXR B config ipsec isakmp ttencryption aes128 NXR B config ipsec isakmp ttgroup 5 NXR B config ipsec isakmpj ttlifetime 10800 B config ipsec isakmp ttisakmp mode main NXR _B config ipsec isakmp remote address ip 10 10 10 1 NXR B config ipsec isakmp ttkeepalive 30 3 periodic restart NXR B config ipsec isakmp ttlocal policy 1 NXR B config ipsec isakmp ttexit NXR B config itipsec tunnel policy 1 NXR B config ipsec tunnel itdescription NXR A NXR B config ipsec tunnel itnegotiation mode auto NXR B config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR _B config ipsec tunnel set pfs group5 NXR _B config ipsec tunnel set sa lifetime 3600 NXR _B config ipsec tunnel set key exchange isakmp 1 NXR_B config ipsec tunnel match addr
122. 1 1 NXR_A IPsec LAN_A NXR_A 9 IPsec gt 10 Ethernetl gt NXR_B config interface ethernet 1 NXR_B config if ip address 10 10 20 1 24 Ethernet IP 10 10 20 1 24 NXR_B config if ipsec policy 1 IPsec IPsec IPsec 1 LAN A LAN B IP 192 168 10 100 192 168 20 100 255 255 255 0 255 255 255 0 192 168 10 1 192 168 20 1 34 235 1 Policy Based IPsec 1 4 X 509 1 4 X 509
123. LAN B 10 lt Ethernet1 gt NXR_A config interface ethernet 1 NXR A config if itip address 10 10 10 1 24 Ethernet IP 10 10 10 1 24 A config ifipsec policy 1 IPsec IPsec IPsec 1 1 gt nxr120 config hostname NXR NXR_B 2 lt Ethernet0 gt NXR B config tinterface ethernet 0 B config if itip address 192 168 20 1 24 Ethernet0 IP 192 168 20 1 24 3 gt NXR B config ftip route 0 0 0 0 0 10 10 20 254 IP 4 lt IPsec gt B config itipsec access list LAN A ip 192 168 20 0 24 192 168 10
124. X 509 identity 7 lt 1 ISAKMP gt NXR B config itipsec isakmp policy 1 NXR_B config ipsec isakmp description NXR A NXR_B config ipsec isakmp authentication rsa sig B config ipsec isakmp amp thash sha1 B config ipsec isakmp tencryption aes128 NXR B config ipsec isakmp ttgroup 5 NXR B config ipsec isakmp ttlifetime 10800 B config ipsec isakmp tisakmp mode main B config ipsec isakmp itremote address ip 10 10 10 1 B config ipsec isakmp tremote identity dn C JP CN nxra E nxra example com B config ipsec isakmp tkeepalive 30 3 periodic restart B config ipsec isakmp ttlocal policy 1 NXR A IPsec ISAKMP 1 ISAKMP 1 NXR_A LT X 509 rsa sig NXR WAN IP 10 10 10 1 NXR identity DN Distinguished Name NXR DN subject 12 IPsec ISAKM
125. gt pluto XXXX packet from 10 10 20 1 500 initial Aggressive Mode message received on 10 10 10 1 500 but no connection has been authorized with policy PSK 1 IPsec lt gt pluto XXXX tunnell 1 responding to Main Mode pluto XXXX tunnell 1 tunnell 1 next payload type of ISAKMP Identification Payload has an unknown value pluto XXXX tunnel1 1 probable authentication failure mismatch of preshared secrets malformed payload in packet s PSK lt gt pluto XXXX tunnelt 1 initiating Main Mode pluto XXXX tunnel1 1 next payload type of ISAKMP Hash Payload has an unknown value PSK gt lt gt pluto XXXX tunnel2 1 10 10 30 1 1 responding to Aggressive Mode from unknown peer
126. NXR_A config ipsec isakmp authentication pre share ipseckey1 LT pre share ipseckey1 NXR_B NXR A config ipsec isakmp tthash sha1 shal NXR_A config ipsec isakmp encryption aes128 aes128 NXR A config ipsec isakmp ttgroup 5 Diffie Hellman DH group 5 NXR A config ipsec isakmp ttlifetime 10800 ISAKMP SA 10800 NXR A config ipsec isakmp ttisakmp mode main 1 NXR_A NXR_B WAN IP IP NXR A config ipsec isakmp ttremote address ip 10 10 20 1 NXR B WAN IP NXR B WAN 10 10 20 1
127. aes128 NXR A config ipsec isakmp ttgroup 5 Diffie Hellman DH group 5 NXR A config ipsec isakmp ttlifetime 10800 ISAKMP SA 10800 NXR A config ipsec isakmp ttisakmp mode aggressive 1 NXR_C WAN fill IP IP NXR A config ipsec isakmp ttremote address NXR_C fll IP NXR C WAN IP IP any NXR A config ipsec isakmp ttremote identity fqdn nxrc identity NXR_C WAN IP IP IP ID ID nxrc fqdn NXR A config ipsec isakmp ttkeepalive 30 3 periodic clear IKE KeepAlive DPD DPD Dead
128. 85 235 2 Route Based IPsec 2 2 S IP AggressiveMode NXR B s 1 2 IP AggressiveMode 1 gt NXR_B config ip route 192 168 10 0 24 tunnel 1 IPsec IP IPsec IPsec LAN A NXR A IPsec 1 tunnel 1 2 lt IPsec gt NXR_B config ipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 Policy Based IPsec IPsec IPsec ESP Route Based IPsec
129. IPsec IKE 2 ID sr Route Based IPsec ESP IPsec lt IPsec LAN B IP 192 168 10 0 24 IP 192 168 20 0 24 3 gt NXR A config itinterface tunnel 1 1 NXR A config tunnel tttunnel mode ipsec ipv4 Route Based IPsec ipsec ipv4 NXR_A config tunnel tunnel protection ipsec policy 1 IPsec IPsec 1 ipsec policy 1 S IPsec NXR A config tunnel ttip tcp adjust mss
130. ISAKMP 1 NXR config ipsec tunnel tmatch protocol 12tp smartphone nat traversal L2TPv2 over IPsec NAT IPsec protocol mode transport negotiation mode responder IPsec NAT NAT ID NXR IPv4 host host UDP UDP 1701 any 9 lt PPP gt NXR config ppp account username android01 password android01pass NXR config ppp account username ios01 password ios01pass PPP L2TPv2 LNS ID NXR config ppp account username test1
131. NXR config ipsec isakmp authentication pre share ipseckey LT pre share ipseckey NXR config ipsec isakmp hash sha1 shal NXR config ipsec isakmp tencryption aes128 aes128 NXR config ipsec isakmp stgroup 5 Diffie Hellman DH group 5 NXR config ipsec isakmp itlifetime 86400 ISAKMP SA 86400 NXR config ipsec isakmp itisakmp mode main 1 NXR config ipsec isakmp remote address ip any IP any NXR config ipsec isakmp local policy 1 IPsec
132. self identity ID remoteidentity gt 2 DD lt gt pluto XXXX tunnel2 1 10 10 30 1 1 responding to Aggressive Mode from unknown peer 10 10 30 1 pluto XXXX tunnel2 1 10 10 30 1 1 ISAKMP SA established pluto XXXX tunnel2 1 10 10 30 1 1 Dead Peer Detection 3706 enabled pluto XXXX tunnel2 1 10 10 30 1 1 cannot respond to IPsec SA request because no connectionis known for 192 168 10 0 24 10 10 10 1 10 10 10 1 10 10 30 1 nxrc 192 168 30 0 24 pluto XXXX tunnel2 1 10 10 30 1 1 sending encrypted notification INVALID ID INFORMATION to10 10 30 1 500 s ipsec access list lt gt pluto XXXX tunnel1 1 initiating Aggressive Mode 1 connection tunnel1 pluto XXXX tunnel1 1 sent AI2 ISAKMP SA established pluto XXXX tunnel1 1 Dead Peer Detection 3706 enabled pluto XXXX tunnell 2 initiating Quick Mode PSK ENCRYPT TUNNEL PFS UP 0x4000000 using isakmp 1 pluto XXXX tunnell 1 ignoring informational payload type INVALID
133. 1 NXR_B config ipsec local address ip IPsec IP IP ipsec policy 1 IP NXR_B config ipsec local self identity fqdn nxrb identity RSA identity ID nxrb fqdn 8 XIPsec ISAKMP gt NXR B config tipsec isakmp policy 1 NXR B config ipsec isakmp stdescription NXR A B config ipsec isakmp fauthentication rsa sig OsAQNe9Ghb4CNEaJully67aSxECLJD HhvndH1opuMs6P8yGiTNIcGeSOQ8XEy8iYTst2bv022XUxSt37RhOR5IRiY1i83TXkQZbhnJDCNJv rt X aro745MbJ9auXT1L5tda4C54S7SELboAtU28sD3si0OwlzLWtE7yRUqLP4ZiiNMw NXR B config ipsec isakmp hash sha1 NXR B config ipsec isakmp encryption aes128 NXR B config ipsec isakmp ttgroup 5 NXR B config ipsec isakmp flifetime 10800 NXR B config ipsec isakmp ttisakmp mode main B config ipsec isakmp itremote address ip 10 10 10 1 B config ipsec isakmp tremote identity fqdn nxra B config ipsec isakmp tkeepalive 30 3 periodic restart NXR B config ipsec isakmp ttlocal policy 1
134. 1 6 IPsec NAT 3 gt NXR_B config ip route 0 0 0 0 0 192 168 120 254 NAPT IP 4 lt IPsec gt NXR B config ipsec access list LAN ip 192 168 20 0 24 192 168 10 0 24 Policy Based IPsec IPsec IPsec ESP IP IPsec 9 IPsec LANA IP 192 168 20 0 24 IP 192 168 10 0 24 5 lt IPsec NAT gt NXR_B config ipsec nat traversal enable NAT 6 XIPsec gt NXR B config tipsec local policy 1 IPsec 1 NXR B config ipsec local itaddress ip IPsec IP IP
135. IPsec LAN_A NXR_A 7 IPsec gt 7 Ethernet1 gt NXR _B config nterface ethernet 1 B config if itip address dhcp Etherneti IP IF DHCP NXR_B config if ipsec policy 1 IPsec IPsec IPsec 1 LAN B IP 192 168 10 100 192 168 20 100 255 255 255 0 255 255 255 0 192 168 10 1 192 168 20 1 25 235 1 Policy Based IPsec 1 3 RSA 1 3 RSA IKE 1 RSA
136. IP VPN 145 235 3 L2TP IPsec 3 1 L2TP IPsec wall SoftBank HZ 14 10 10 10 10 1 0 21 172 16 0 1 IP 172 16 0 11 146 235 3 L2TP IPsec 3 2 L2TP IPsec CRT 3 2 L2TP IPsec CRT Android iOS L2TP IPsec VPN NXR VPN IPsec LAN A 192 168 10 0 24 Android Eth0 192 168 10 100 192 168 10 1 1010401 iOS IP IP 2 IP IP 2 DD IP X 509 FutureNet RA
137. _B config ipsec tunnel exit NXR B config itinterface ethernet 1 NXR B config if itip address 10 10 20 1 24 NXR B config if itipsec policy 1 NXR B config if itexit NXR B config itexit NXR_B save config 38 235 1 Policy Based IPsec 1 4 X 509 NXR A 1 lt gt nxr120 config hostname NXR A NXR_A 2 Ethernet0 gt NXR A config itinterface ethernet 0 NXR A config if itip address 192 168 10 1 24 Ethernet0 IP 192 168 10 1 24 3 gt NXR A config ip route 0 0 0 0 0 10 10 10 254 IP 4 lt IPsec gt NXR_A config ipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 Policy Based IPsec IPsec IPsec ESP IP
138. gt 9 NXR_A gt 10 NXR A gt 6 XIPsec gt NXR B config tipsec local policy 1 IPsec 1 NXR _B config ipsec local address ip IPsec IP IP ipsec policy 1 IP B config ipsec local itx509 certificate nxrb X 509 5 NXR B certificate name nxrb B config ipsec localitself identity dn C JP CN nxrb E nxrb example com identity 509 G identity DN Distinguished Name DN subject C JP CN nxrb E nxrb example com 43 235 1 Policy Based IPsec 1 4 X 509
139. 1 Policy Based IPsec 8 235 1 Policy Based IPsec 1 1 IP MainMode 1 IP MainMode LAN A 192 168 10 0 24 amp LAN B 192 168 20 0 24 NXR A NXR B IPsec LAN IPsec WAN fl IP IP LAN A 192 168 10 0 24 LAN_B 192 168 20 0 24 MRA TT Eth0 10 10 10 254 10 10 20 254 Eth1 Eth0 192 168 10 100 we 168 10 1 10 10 10 1 10 10 20 1 192 168 20 1 192 168 20 100 IPsec ISAKMP ISAKMP 1 SHA 1 AES 128 Diffie Hellman DH Group5
140. ip tcp adjust mss auto tunnel mode ipsec ipv4 tunnel protection ipsec policy 1 1 interface tunnel 2 no ip address ip tcp adjust mss auto tunnel mode ipsec ipv4 tunnel protection ipsec policy 2 1 interface ppp 0 ip address 10 10 10 1 32 no ip redirects ip tcp adjust mss auto ip access group in pppO in ip masquerade ip spi filter ppp username test1 centurysys password testlpass ipsec policy 1 1 interface ethernet 0 ip address 192 168 10 1 24 1 interface ethernet 1 no ip address pppoe client ppp 0 1 dns service enable 1 syslog local enable 1 1 I system led ext 0 signal level mobile 0 ip route 192 168 20 0 24 tunnel 1 ip route 192 168 30 0 24 tunnel 2 ip route 0 0 0 0 0 ppp 0 I ip access list pppO in permit any 10 10 10 1 udp 500 500 ip access list pppO in permit any 10 10 10 1 50 1 e access list LAN B ip 192 168 10 0 24 192 168 20 0 24 ipsec access list LAN_C ip 192 168 10 0 24 192 168 30 0 24 I 1 end show config 209 235 show config NXR B Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname NXR_B telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 1 ipsec local policy 1 address ip 1 I ipsec isakmp policy 1 description NXR_A authentication pre share ipseckey1 hash sha1 encryption aes128 group 5 isakmp mode ma
141. 1 NXR_A config ipsec tunnel description NXR B 1 NXR B NXR _A config ipsec tunnel negotiation mode responder IPsec responder Rekey NXR _A config ipsec tunnel set transform esp aes128 esp sha1 hmac IPsec esp aes128 esp sha1 hmac NXR _A config ipsec tunnel set pfs group5 PFS Perfect Forward Secrecy DH PFS DH group5 NXR _A config ipse
142. 1 initiating Aggressive Mode 1 connection tunneli pluto XXXX packet from 10 10 10 1 500 ignoring informational payload type INVALID ID INFORMATION s ipsec local policy self identity ID remote identity gt 1 ID self identity lt gt pluto XXXX tunnel2 1 10 10 30 1 1 responding to Aggressive Mode from unknown peer 10 10 30 1 pluto XXXX packet from 10 10 30 1 500 ignoring informational payload type INVALID ID INFORMATION s ipsec isakmp policy remote identity ID self identity lt gt pluto XXXX tunnel1 1 initiating Aggressive Mode 1 connection tunneli pluto XXXX tunnel1 1 no suitable connection for peer 10 10 10 1 pluto XXXX tunnel1 1 initial Aggressive Mode packet claiming to be from 10 10 10 1but no connection has been authorized pluto XXXX tunnel1 1 sending notification INVALID ID INFORMATION to 10 10 10 1 500 m ipsec local policy
143. DNS NAPT 65 235 1 Policy Based IPsec 1 6 IPsec NAT NXR A nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR A NXR A config itinterface ethernet 0 NXR A config if itip address 192 168 10 1 24 NXR A config if itexit NXR A config itip route 0 0 0 0 0 ppp 0 NXR A config itip access list pppO in permit any 10 10 10 1 udp any 500 NXR A config itip access list pppO in permit any 10 10 10 1 udp 4500 NXR A config fipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 NXR A config itipsec nat traversal enable restart ipsec service to take affect NXR A config tipsec local policy 1 NXR A config ipsec local ftaddress ip NXR A config ipsec local itexit NXR A config ifipsec isakmp policy 1 NXR A config ipsec isakmp ttdescription NXR B NXR _A config ipsec isakmp authentication pre share ipseckey NXR A config ipsec isakmp tthash sha1 NXR A config ipsec isakmp ttencryption aes128 NXR A config ipsec isakmp ttgroup 5 NXR A config ipsec isakmp ttlifetime 10800 NXR A config ipsec isakmp ttisakmp mode aggressive NXR A config ipsec isakmp ttremote address ip any NXR A config ipse
144. NATPT ESP UDP ESP UDP NAT NAPT NXR NAT NAT NAT NXR_B WAN IP IP IP ID NXR_A ISAKMP remote identity NXR_B IPsec self identity 97 identity IKE NXR self identity NXR remote identity NAT IP SPI
145. esp aes128 esp sha1 hmac NXR_C config ipsec tunnel set pfs group5 PFS Perfect Forward Secrecy DH PFS DH group5 62 235 1 Policy Based IPsec 1 5 PPPoE IPsec NXR C config ipsec tunneltset sa lifetime 3600 IPsec SA 3600 NXR_C config ipsec tunnel set key exchange isakmp 1 ISAKMP ISAKMP 1 NXR C config ipsec tunnel itmatch address LAN IPsec IPsec LANA 9 ppp0 gt NXR C config itinterface ppp 0 NXR C config ppp ip address negotiated NXR C config ppp itip masquerade NXR C config ppp tip access group in pppO in NXR C config ppp fip spi filter NXR C config ppp ftip tcp adjust mss auto NXR_C config ppp no ip redirects NXR_C config ppp ppp authentication auto NXR_C config ppp ppp username test3 centurysys password test3pass NXR_C c
146. IPsec IKE 2 ID sr Route Based IPsec ESP IPsec lt IPsec LAN_A IP 192 168 20 0 24 IP 192 168 10 0 24 3 lt gt NXR B config itinterface tunnel 1 1 NXR B config tunnel tttunnel mode ipsec ipv4 Route Based IPsec ipsec ipv4 NXR _B config tunnel tunnel protection ipsec policy 1 IPsec IPsec 1 ipsec policy 1 S IPsec NXR B config tunnel ttip tcp adjust mss auto TCP MSS
147. IPsec ISAKMP 1 ISAKMP 1 NXR_A LT pre share ipseckey NXR NXR WAN IP 10 10 10 1 NXR_A 6 IPsec ISAKMP gt 15 235 1 Policy Based IPsec 1 1 IP MainMode 7 lt IPsec gt NXR B config itipsec tunnel policy 1 B config ipsec tunneDtdescription NXR A NXR_B config ipsec tunnel negotiation mode auto B config ipsec tunneDset transform esp aes128 esp sha1 hmac B config ipsec tunneD set pfs group5 NXR _B config ipsec tunnel set sa lifetime 3600 NXR B config ipsec tunnel itset key exchange isakmp 1 NXR B config ipsec tunnel ttmatch address LAN A NXR B IPsec 1 1 NXR_B
148. IPv4 192 168 20 0 24 6 lt IPsec NAT gt NXR A config tipsec nat traversal enable NAT 68 235 1 Policy Based IPsec 1 6 IPsec NAT 7 lt 1 gt NXR A config tipsec local policy 1 IPsec 1 NXR A config ipsec local itaddress ip IPsec IP IP ipsec policy 1 IP 8 XIPsec ISAKMP gt NXR A config itipsec isakmp policy 1 NXR B IPsec ISAKMP 1 NXR_A config ipsec isakmp description NXR B ISAKMP 1 B NXR_A config ipsec isakmp authentication pre share ipseckey LT pre share ipseckey
149. LAN Ethernet0 IP 32 NXR B config tunnel tttunnel mode ipsec ipv4 126 235 2 Route Based IPsec 2 8 IPsec OSPF Route Based IPsec ipsec ipv4 NXR _B config tunnel tunnel protection ipsec policy 1 IPsec IPsec 1 ipsec policy 1 g IPsec NXR B config tunnel ttip tcp adjust mss auto TCP MSS NXR C 2 5 PPPoE IPsec NXR_C 1 lt OSPF gt NXR_C config router ospf OSPF
150. lt gt pluto XXXX tunnel1 1 initiating Main Mode pluto XXXX tunnel1 1 received Vendor ID payload strongSwan pluto XXXX tunnell 1 received Vendor ID payload XAUTH pluto XXXX tunnel1 1 received Vendor ID payload Dead Peer Detection pluto XXXX tunnel1 1 ISAKMP SA established pluto XXXX tunnel1 1 Dead Peer Detection 3706 enabled pluto XXXX tunnel1 2 initiating Quick Mode PSK TENCRYPT TUNNEL PFS UP using isakmp 1 charon O3 KNL interface tunnel1 activated pluto XXXX tunnel1 2 sent 012 IPsec SA established ESP gt 0x14bd33fO lt 0xf49c1f56 DPD 168 235 IPsec gt lt gt pluto XXXX packet from 10 10 10 1 500 received Vendor ID payload strongSwan pluto XXXX packet from 10 10 10 1 500 received Vendor ID payload XAUTH pluto XXXX packet from 10 10 10 1 500 received Vendor ID payload Dead Peer Detection pluto XXXX tunnell 3 responding to Main Mode pluto XXXX tunnel1 3 sent MR3 ISAKMP SA established pluto XXXX tunnel1 3 Dead Peer Detection 3706 enabled pluto XXXX tunnell 4 responding to Quick Mode charon O3 KNL interface tunnel1 activated pluto XXXX tunnel 4 IPsec SA established ESP gt 0x9c4fb981 lt 0xc30f38e1 DPD gt
151. 2 2 IP AggressiveMode NXR A nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR A NXR A config itinterface ethernet 0 NXR A config if itip address 192 168 10 1 24 NXR A config if itexit NXR A config itip route 192 168 20 0 24 tunnel 1 NXR A config itip route 0 0 0 0 0 10 10 10 254 NXR A config fipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 NXR A config tipsec local policy 1 NXR A config ipsec local ftaddress ip NXR A config ipsec local itexit NXR A config fipsec isakmp policy 1 NXR A config ipsec isakmp ttdescription NXR B NXR A config ipsec isakmp ttauthentication pre share ipseckey NXR A config ipsec isakmp tthash sha1 NXR _A config ipsec isakmp encryption aes128 NXR A config ipsec isakmp ttgroup 5 NXR A config ipsec isakmp ttlifetime 10800 NXR A config ipsec isakmp ttisakmp mode aggressive NXR A config ipsec isakmp ttremote address ip any NXR A config ipsec isakmp ttremote identity fqdn nxrb NXR A config ipsec isakmp ttkeepalive 30 3 periodic clear NXR A config ipsec isakmp ttlocal policy 1 NXR_A config ipsec isakmp exit NXR A config itipsec tunnel policy 1 NXR A config ipsec tunnel tdescription NXR B NXR _A config ipsec tunnel negotiation mode responder NXR _A config ipsec tunnel set transform esp aes128 esp sha1 hmac NXR _A confi
152. 21 235 1 Policy Based IPsec 1 2 IP AggressiveMode NXR A config ipsec isakmp tthash sha1 shal NXR_A config ipsec isakmp encryption aes128 aes128 NXR A config ipsec isakmp ttgroup 5 Diffie Hellman DH group 5 NXR A config ipsec isakmp ttlifetime 10800 ISAKMP SA 10800 NXR A config ipsec isakmp ttisakmp mode aggressive 1 IPsec WAN fill IP IP NXR A config ipsec isakmp ttremote address ip any NXR WAN IP NXR WAN fill IP IP any NXR A config ipsec isakmp ttremote identity fqdn nxrb NXR identity
153. IPsec WAN fll IP IP LAN A 192 168 10 0 24 LAN_B 192 168 20 0 24 MRA TT 10 10 10 254 10 10 20 254 NE h0 192 168 10 100 192 10 1 10 10 10 1 DHCP 192 168 20 1 192 168 20 100 IP IPsec IP NXR IPsec ISAKMP ISAKMP 1 SHA 1 AES 128 Diffie Hellman DH Group5 Pre Shared Key Aggressive 10800 s 2
154. psec policy 1 NXR_C config ppp exit NXR C config itinterface ethernet 1 NXR_C config if no ip address NXR C config if itpppoe client ppp 0 NXR_C config if exit NXR_C config dns NXR_O config dns service enable NXR_O config dns exit NXR_O config exit NXR_C save config 123 235 2 Route Based IPsec 2 8 IPsec OSPF NXR_A s 2 5 PPPoE IPsec NXR_A 1 lt gt NXR_A config router ospf OSPF NXR_A config router router id 172 31 0 1 OSPF ID NXR_A config router network 192 168 10 0 24 area 0 OSPF 192 168 10 0 24 0 OSPF NXR_A config router passive interface ethernet 0 Ethernet0 Ether
155. 1 205 235 dns service enable 1 syslog local enable 1 1 I system led ext 0 signal level mobile 0 ip route 192 168 20 0 24 tunnel 1 ip route 0 0 0 0 0 10 10 10 254 1 ipsec access list LAN_B ip 192 168 10 0 24 192 168 20 0 24 1 end show config B Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname NXR_B telnet server enable http server enable 1 ipv6 forwarding no fast forwarding enable 1 ipsec x509 enable ipsec x509 ca certificate nxr ipsec x509 certificate nxrb ipsec x509 private key nxrb key ipsec x509 private key nxrb password nxrbpass ipsec x509 crl nxr 1 ipsec local policy 1 address ip self identity dn C JP CN nxrb E nxrb example com x509 certificate nxrb 1 1 ipsec isakmp policy 1 description NXR_A authentication rsa sig hash sha1 encryption aes128 group 5 isakmp mode main remote address ip 10 10 10 1 206 235 remote identity dn C JP CN nxra E nxra example com local policy 1 1 ipsec tunnel policy 1 description NXR_A set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN A 1 interface tunnel 1 no ip address ip tcp adjust mss auto tunnel mode ipsec ipv4 tunnel protection ipsec policy 1 1 interface ethernet 0 ip address 192 168 20 1 24 1 interface ethernet 1 ip address 10 10 20 1 24 ipsec policy
156. 100 Route Based IPsec Policy Based IPsec RIPv1 v2 0SPF BGP 1 3 RSA 88 235 2 Route Based IPsec 2 3 RSA NXR A nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR A NXR A config itinterface ethernet 0 NXR A config if itip address 192 168 10 1 24 NXR A config if itexit NXR A config itip route 192 168 20 0 24 tunnel 1 NXR A config itip route 0 0 0 0 0 10 10 10 254 NXR A config tipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 NXR A config itipsec generate rsa sig key 1024 RSA SIG KEY generating NXR A config itexit NXR_A show ipsec rsa pub key RSA public key 0sAQNe9Ghb4CNEaJully67aSxECLJDHhvndH1opuMs6P8yGiTNIcGeSOQ8XEy8iYTst2bv022XUxSt37 RhOR5IRiY1i83TXkQZbhnJDCNJv rtX aro745MbJ9auXT1L5tda4C54S7SELboAtU28sD3si0OwlzLW tE7yRUqLP4ZiiNMw NXR_A configure terminal Enter configuration commands one per line End with CNTL Z NXR A config itipsec local policy 1 NXR A config ipsec local ftaddre
157. NXR 155 C L NXR 230 C NXR 350 C NXR 1200 WXR 250 FutureNet NXR 120 C FutureNet NXR NXR 120 C Ver5 22 2 Route Based IPsec IPv4 IPv6
158. NXR B config itinterface ethernet 1 NXR B config if itip address 192 168 120 1 24 NXR B config if tipsec policy 1 NXR B config if itexit NXR B config itdns NXR B config dns itservice enable NXR B config dns itexit NXR B config itexit NXR_B save config 67 235 1 Policy Based IPsec 1 6 IPsec NAT NXR A 1 lt gt nxr120 config hostname NXR A NXR_A 2 XEthernetO0 gt NXR_A config jinterface ethernet 0 NXR_A config if ip address 192 168 10 1 24 Ethernet0 IPv4 192 168 10 1 24 3 gt NXR A config itip route 0 0 0 0 0 ppp 0 PPPoE ppp 4 lt IP gt NXR_A config ip access list ppp0 in permit any 10 10 10 1 udp any 500 NXR A config itip access list ppp0_in permit any 10 10 10 1 udp any 4500 IP ppp0_in
159. NXR B config tipsec local policy 1 NXR B config ipsec local ftaddress ip NXR B config ipsec local itself identity fqdn nxrb NXR _B config ipsec local exit NXR B config fipsec isakmp policy 1 NXR B config ipsec isakmp ttdescription NXR A NXR _B config ipsec isakmp authentication pre share ipseckey NXR B config ipsec isakmp tthash sha1 NXR _B config ipsec isakmp encryption aes128 NXR B config ipsec isakmp ttgroup 5 NXR B config ipsec isakmp ttisakmp mode aggressive NXR _B config ipsec isakmp remote address 10 10 10 1 NXR B config ipsec isakmp ttkeepalive 30 3 periodic restart NXR B config ipsec isakmp ttlocal policy 1 NXR B config ipsec isakmp ttnetevent 1 reconnect NXR _B config ipsec isakmp exit NXR B config itipsec tunnel policy 1 NXR B config ipsec tunnel itdescription NXR A NXR B config ipsec tunnel itnegotiation mode auto NXR B config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR _B config ipsec tunnel set pfs group5 NXR _B config ipsec tunnel set key exchange isakmp 1 NXR_B config ipsec tunnel match address LAN A NXR _B config ipsec tunnel exit NXR B config finterface tunnel 1 NXR B config tunnel tttunnel mode ipsec ipv4 NXR B config tunnel tttunnel protection ipsec policy 1 NXR B config tunnel itip tcp adjust mss auto NXR _B config tunnel exit NXR B config itinterface ethernet 1 NXR B config if itip address dhcp NXR B config if itipsec policy 1 NXR B config if itexit NXR B config
160. NXR _A config ipsec tunnel negotiation mode responder IPsec responder Rekey NXR_A config ipsec tunnel set transform esp aes128 esp sha1 hmac IPsec esp aes128 esp sha1 hmac NXR _A config ipsec tunnel set pfs group5 PFS Perfect Forward Secrecy DH PFS DH group5 NXR _A config ipsec tunnel set sa lifetime 3600 IPsec SA 3600 NXR A config ipsec tunnel itset key exchange isakmp 2
161. NXR config itip access list pppO in permit any 10 10 10 1 udp any 4500 NXR config itipsec nat traversal enable restart ipsec service to take affect NXR config itipsec local policy 1 NXR config ipsec local taddress ip NXR config ipsec local itexit NXR config itipsec isakmp policy 1 NXR config ipsec isakmp description smartphone NXR config ipsec isakmp authentication pre share ipseckey NXR config ipsec isakmp hash sha1 NXR config ipsec isakmp encryption aes128 NXR config ipsec isakmp group 5 NXR config ipsec isakmp ttlifetime 86400 NXR config ipsec isakmp stisakmp mode main NXR config ipsec isakmp ttremote address ip any NXR config ipsec isakmp itlocal policy 1 NXR config ipsec isakmp exit NXR config itipsec tunnel policy 1 NXR config ipsec tunnel description smartphone NXR config ipsec tunnel set transform esp aes128 esp sha1 hmac NXR config ipsec tunnel no set pfs NXR config ipsec tunnel set sa lifetime 28800 NXR config ipsec tunnel set key exchange isakmp 1 NXR config ipsec tunnel ftmatch protocol I2tp smartphone nat traversal NXR config ipsec tunnel itexit NXR config fppp account username android01 password android01pass NXR config itppp account username ios01 password 01 NXR config ppp account username test1 centurysys password testlpass NXR config itip local pool smartphoneip address 192 168 10 10 192 168 10 11 NXR config itinterface virtual template 0 NXR config if vt itip address 192 168 10 1 32 NXR
162. NXR_B save config 90 235 2 Route Based IPsec 2 3 RSA NXR A s 1 3 RSA NXR A 1 gt NXR_A config ip route 192 168 20 0 24 tunnel 1 IPsec IP IPsec IPsec LAN B NXR B IPsec 1 tunnel 1 2 lt 1 gt NXR_A config ipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 Policy Based IPsec IPsec IPsec ESP Route Based IPsec
163. encryption aes128 group 5 isakmp mode aggressive remote address ip 10 10 10 1 local policy 1 1 I ipsec tunnel policy 1 211 235 description NXR_A set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN_A 1 interface tunnel 1 no ip address ip tcp adjust mss auto tunnel mode ipsec ipv4 tunnel protection ipsec policy 1 1 interface ppp 0 ip address negotiated no ip redirects ip tcp adjust mss auto ip access group in pppO in ip masquerade ip spi filter ppp username test3 centurysys password test3pass ipsec policy 1 1 interface ethernet 0 ip address 192 168 30 1 24 1 interface ethernet 1 no ip address pppoe client ppp 0 1 dns service enable 1 syslog local enable 1 1 I system led ext 0 signal level mobile 0 ip route 192 168 10 0 24 tunnel 1 ip route 0 0 0 0 0 ppp 0 1 ip access list pppO in permit 10 10 10 1 any 500 500 ip access list pppO in permit 10 10 10 1 any 50 1 access list LAN A ip 192 168 30 0 24 192 168 10 0 24 1 1 end show config 212 235 show config 2 6 IPsec NAT NXR A hostname NXR_A telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 ipsec nat traversal enable 1 ipsec local policy 1 address ip 1 ipsec isakmp policy descrip
164. end NXR C Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname NXR_C telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 1 ipsec local policy 1 address ip self identity fqdn nxrc 1 ipsec isakmp policy 1 description NXR_A authentication pre share ipseckey2 hash sha1 encryption aes128 group 5 isakmp mode aggressive remote address ip 10 10 10 1 local policy 1 1 ipsec tunnel policy 1 description NXR_A set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN_A 1 I interface ppp 0 ip address negotiated no ip redirects ip tcp adjust mss auto ip access group in pppO in ip masquerade ip spi filter ppp username test3 centurysys password test3pass ipsec policy 1 1 interface ethernet 0 ip address 192 168 30 1 24 1 interface ethernet 1 no ip address pppoe client ppp 0 191 235 1 dns service enable 1 syslog local enable 1 1 I system led ext 0 signal level mobile 0 i route 0 0 0 0 0 ppp 0 I ip access list pppO in permit 10 10 10 1 any udp 500 500 ip access list pppO in permit 10 10 10 1 any 50 1 eet access list LAN A ip 192 168 30 0 24 192 168 10 0 24 1 1 end zo AE show config 192 235 show config 1 6 IPsec NAT
165. hostname NXR A NXR A 2 Ethernet0 gt NXR A config itinterface ethernet 0 NXR A config if tip address 192 168 10 1 24 Ethernet0 IP 192 168 10 1 24 3 gt NXR A config ip route 0 0 0 0 0 10 10 10 254 IP 4 lt IPsec gt NXR A config fipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 Policy Based IPsec IPsec IPsec ESP IP IPsec IPsec LAN_B IP 192 168 10 0 24 IP 192 168 20 0 24 5 XIPsec gt NXR A config ipsec local policy 1 IPsec 1 NXR_A config ipsec
166. ip route 192 168 10 0 24 tunnel 1 1 sie access list LAN A ip 192 168 20 0 24 192 168 10 0 24 1 1 end show config 201 235 show config 2 3 RSA NXR A Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname _ telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 1 ipsec generate rsa sig key 1024 1 ipsec local policy 1 address ip self identity fqdn nxra 1 ipsec isakmp policy 1 description authentication rsa sig 0sAQOx8kE6uhZTvWMikunsy3uK5 7jIkTXsCjQpgo4B X64UAVeuxFQZ 3KG3bzyjmyCbpktO0xEiU v1kF4AOAOXoDfgND KAdEky YWqQYzMuuuu2uy K6E9JA24NACufuqMqggGS Xc51fJ 6V5Qi9YtVd7TWBkZQSZJJADBHs YyYD9Q hash sha1 encryption aes128 group 5 isakmp mode main remote address ip 10 10 20 1 remote identity fqdn nxrb local policy 1 1 ipsec tunnel policy 1 description NXR B set transform esp aes128 esp sha1 hmac set pfs groupb set key exchange isakmp 1 match address LAN B 1 1 interface tunnel 1 no ip address ip tcp adjust mss auto tunnel mode ipsec ipv4 tunnel protection ipsec policy 1 1 interface ethernet 0 ip address 192 168 10 1 24 1 interface ethernet 1 ip address 10 10 10 1 24 ipsec policy 1 dns service enable I syslog 202 235 show config
167. 0 192 168 10 1 192 168 20 1 81 235 2 Route Based IPsec 2 2 IP AggressiveMode 2 2 Sij IP AggressiveMode WAN IP IP IPsec WAN IP ISAKMP LAN_A 192 168 10 0 24 LAN B 192 168 20 0 24 MRA NXR_B Eth0 m 10 10 10 254 10 10 20 254 WNEM Eth0 192 168 10 100 we 168 10 1 10 10 10 1 DHCP 192 168 20 1 192 168 20 100 IP Route Based IPsec Policy Based IPsec RIPv1 v2 0SPF BGP 1 2 IP AggressiveMode 82 235 2 Route Based IPsec
168. 0 ethernet1 ppp0 PPPoE PPP pppoe client 16 lt DNS gt NXR config dns NXR dns config service enable DNS 138 235 3 L2TP IPsec 3 1 L2TP IPsec Android Android Android Android 1 2 3 VPN
169. 0 virtual template 0 virtua template virtual template PPP PPP PPP NXR config if vt itip address 172 16 0 1 32 virtua template IP 172 16 0 1 32 NXR config if vt itip tcp adjust mss auto TCP MSS TCP MSS TCP MSS TCP NXR config if vt no ip redirects ICMP NXR config if vt no ip rebound IP NXR config if vt peer ip pool smartphoneip IP
170. 1 dns service enable 1 syslog local enable 1 1 I system led ext 0 signal level mobile 0 ip route 192 168 10 0 24 tunnel 1 ip route 0 0 0 0 0 10 10 20 254 1 psec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 1 1 end show config 207 235 show config 2 5 PPPoE IPsec NXR A hostname NXR_A telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 1 ipsec local policy 1 address ip 1 ipsec isakmp policy 1 description NXR_B authentication pre share ipseckey1 hash sha1 encryption aes128 group 5 isakmp mode main remote address ip 10 10 20 1 local policy 1 1 ipsec isakmp policy 2 description NXR_C authentication pre share ipseckey2 keepalive 30 3 periodic clear hash sha1 encryption aes128 group 5 isakmp mode aggressive remote address ip any remote identity fqdn nxrc local policy 1 1 ipsec tunnel policy 1 description set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN_B 1 ipsec tunnel policy 2 description NXR_C negotiation mode responder set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 2 match address LAN_C 1 I interface tunnel 1 no ip address Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 208 235
171. 1 32 IP 10 10 10 1 32 NXR config ppp ip masquerade IP NXR config ppp ttip access group in pppO in IP pppO in in ppp0 NXR IP NXR config ppp ip spi filter WAN NXR config ppp t
172. 168 10 0 24 end zo AE show config 181 235 show config 1 3 RSA NXR A Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname _ telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 1 ipsec generate rsa sig key 1024 1 ipsec local policy 1 address ip self identity fqdn nxra 1 ipsec isakmp policy 1 description authentication rsa sig 0sAQOx8kE6uhZTvWMikunsy3uK5 7jIkTXsCjQpgo4B X64UAVeuxFQZ 3KG3bzyjmyCbpktO0xEiU v1kF4AOAOXoDfgND KAdEky YWqQYzMuuuu2uy K6E9JA24NACufuqMqggGS Xc51fJ 6V5Qi9YtVd7TWBkZQSZJJADBHs YyYD9Q hash sha1 encryption aes128 group 5 isakmp mode main remote address ip 10 10 20 1 remote identity fqdn nxrb local policy 1 1 1 ipsec tunnel policy 1 description NXR B set transform esp aes128 esp sha1 hmac set pfs groupb set key exchange isakmp 1 match address LAN B 1 1 interface ethernet 0 ip address 192 168 10 1 24 1 interface ethernet 1 ip address 10 10 10 1 24 ipsec policy 1 1 dns service enable 1 syslog local enable 1 1 1 system led ext 0 signal level mobile 0 1 182 235 zo AE show config ip route 0 0 0 0 0 10 10 10 254 I ipsec access list LAN_B ip 192 168 10 0 24 192 168
173. 20 0 24 1 1 end NXR B Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname NXR_B telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 ipsec generate rsa sig key 1024 1 ipsec local policy 1 address ip self identity fqdn nxrb 1 I ipsec isakmp policy 1 description NXR_A authentication rsa sig OSAQGNe9Ghb4CNEaJully67aSxECLJDHhvndH1opuMs6P8yGITNIcGeSO Q8XEy8iYTst2bv022XUxSt37RhOR5IRiY1i83TXkQZbhnJDCNJv rtX aro745MbJ9auXT1L5tda4C54 S7SELboAtU28sD3si0OwlzLWtE7yRUqLP4ZiiNMw hash sha1 encryption aes128 group 5 isakmp mode main remote address ip 10 10 10 1 remote identity fqdn nxra local policy 1 1 I ipsec tunnel policy 1 description NXR_A set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN_A 1 I interface ethernet 0 ip address 192 168 20 1 24 183 235 interface ethernet 1 ip address 10 10 20 1 24 ipsec policy 1 dns service enable 1 syslog local enable 1 1 system led ext 0 signal level mobile 0 p route 0 0 0 0 0 10 10 20 254 ipsec access list LAN_A ip 192 168 20 0 24 192 168 10 0 24 1 1 end zo AE show config 184 235 show config 1 4 X 509 NXR A Ce
174. Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR B NXR B config itinterface ethernet 0 NXR B config if itip address 192 168 20 1 24 NXR B config if itexit NXR B config itip route 0 0 0 0 0 192 168 120 254 NXR B config itipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 NXR B config itipsec nat traversal enable restart ipsec service to take affect NXR B config itipsec local policy 1 NXR B config ipsec local ftaddress ip NXR B config ipsec local itself identity fqdn nxrb NXR _B config ipsec local exit NXR B config fipsec isakmp policy 1 NXR B config ipsec isakmp ttdescription NXR A NXR _B config ipsec isakmp authentication pre share ipseckey NXR B config ipsec isakmp tthash sha1 NXR _B config ipsec isakmp encryption aes128 NXR B config ipsec isakmp ttgroup 5 NXR B config ipsec isakmp ttisakmp mode aggressive NXR B config ipsec isakmp ttremote address ip 10 10 10 1 NXR B config ipsec isakmp ttkeepalive 30 3 periodic restart NXR B config ipsec isakmp ttlocal policy 1 NXR B config ipsec isakmp ttexit NXR B config itipsec tunnel policy 1 NXR B config ipsec tunnel itdescription NXR A NXR B config ipsec tunnel itnegotiation mode auto NXR B config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR _B config ipsec tunnel set pfs group5 NXR _B config ipsec tunnel set key exchange isakmp 1 NXR B config ipsec tunnel ttmatch address LAN A NXR B config ipsec tunnel itexit
175. IPsec IPsec LAN A NXR A IPsec 1 tunnel 1 2 lt IPsec gt NXR_B config ipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 Policy Based IPsec IPsec IPsec ESP Route Based IPsec IPsec IKE 2 ID sr Route Based IPsec ESP IPsec lt IPsec LAN_A IP 192 168 20 0 24 IP 192 168 10 0 24 3 lt gt NXR B config itinterface tunnel 1 1
176. Peer Detection ISAKMP SA NXR WAN SA SA DPD NXR IPsec DPD 30 3 keepalive SA IKE 54 235 1 Policy Based IPsec 1 5 PPPoE IPsec NXR_A config ipsec isakmp local policy 1 IPsec IPsec 1 10 lt IPsec 2 gt NXR_A config ipsec tunnel policy 2 NXR C IPsec 2 NXR_A config ipsec tunnel description NXR C 2 NXR C
177. XEthernetl gt NXR_A config interface ethernet 1 NXR A config if itip address 10 10 10 1 24 Ethernet IP 10 10 10 1 24 NXR A config ifipsec policy 1 IPsec IPsec IPsec 1 NXR B lt gt nxr120 config hostname NXR 2 Ethernet0 gt NXR B config tinterface ethernet 0 NXR B config if itip address 192 168 20 1 24 42 235 1 Policy Based IPsec 1 4 X 509 Ethernet0 IP 192 168 20 1 24 3 gt NXR_B config ip route 0 0 0 0 0 10 10 20 254 IP 4 lt IPsec gt NXR_B conf
178. centurysys password test1pass ppp0 s ppp0 10 lt IP gt NXR config ip local pool smartphoneip address 172 16 0 10 172 16 0 11 IP IP smartphoneip 172 16 0 10 172 16 0 11 IP F 162 235 3 L2TP IPsec 3 3 L2TP IPsec NAT 11 virtual template 0 gt NXR config interface virtua template 0 virtual template 0 virtua template virtual template PPP PPP PPP
179. config if vt itip tcp adjust mss auto NXR config if vt no ip redirects NXR config if vt no ip rebound NXR config if vt peer ip pool smartphoneip NXR config if vt peer ip proxy arp NXR config if vt exit NXR config itl2tp udp source port 1701 NXR config l2tp 1 NXR config I2tp ittunnel address any ipsec NXR config I2tp ittunnel mode Ins NXR config I2tp ittunnel virtual template 0 NXR config 2tp exit Restarting l2tp service Please walt NXR config interface ppp 0 NXR config ppp ip address 10 10 10 1 32 NXR config ppp ip masquerade NXR config ppp ttip access group in pppO in NXR config ppp fip spi filter NXR config ppp ttip tcp adjust mss auto NXR config ppp no ip redirects NXR config ppp ppp username test1 centurysys 158 235 3 L2TP IPsec 3 3 L2TP IPsec NAT NXR config ppp ipsec policy 1 NXR config ppp ttexit NXR config itinterface ethernet 1 NXR config if itno ip address NXR config if ifpppoe client ppp 0 NXR config if itexit NXR config itdns NXR config dns service enable NXR config dns itexit NXR config itexit NXR save config 159 235 3 L2TP IPsec 3 3 L2TP IPsec NAT NXR 1 gt nxr120 config hostname NXR NXR
180. config ipsec isakmp encryption aes128 NXR config ipsec isakmp group 5 NXR config ipsec isakmp lifetime 86400 NXR config ipsec isakmp isakmp mode main NXR config ipsec isakmp remote address ip any NXR config ipsec isakmp remote identity dn C JP CN smartphone E smartphone example com NXR config ipsec isakmp local policy 1 NXR config ipsec isakmp exit NXR config ipsec tunnel policy 1 NXR config ipsec tunnel description smartphone NXR config ipsec tunnel set transform esp aes128 esp sha1 hmac NXR config ipsec tunnel no set pfs NXR config ipsec tunnel set sa lifetime 28800 NXR config ipsec tunnel set key exchange isakmp 1 NXR config ipsec tunnel match protocol I2tp smartphone NXR config ipsec tunnel itexit NXR config ppp account username android01 password android01pass NXR config itppp account username ios01 password 01 NXR config ippp account username test1 centurysys password testlpass NXR config itaccess server profile 0 NXR config ras ppp username android01 ip 172 16 0 10 NXR config ras exit NXR config access server profile 1 NXR config ras ppp username ios01 ip 172 16 0 11 NXR config ras exit NXR config ip local pool smartphoneip address 172 16 0 10 172 16 0 11 NXR config interface virtua template 0 NXR config if vt itip address 172 16 0 1 32 NXR config if vt itip tcp adjust mss auto NXR config if vt no ip redirects NXR config if vt no ip rebound NXR config if vt peer ip pool smartphonei
181. config ipsec isakmp ttkeepalive 30 3 periodic restart NXR A config ipsec isakmp ttlocal policy 1 NXR _A config ipsec isakmp exit NXR A config itipsec tunnel policy 1 NXR_A config ipsec tunnel description B NXR A config ipsec tunnel itnegotiation mode auto NXR A config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR _A config ipsec tunnel set pfs group5 NXR _A config ipsec tunnel set sa lifetime 3600 NXR _A config ipsec tunnel set key exchange isakmp 1 NXR A config ipsec tunnel itmatch address LAN B NXR _A config ipsec tunnel exit NXR A config itinterface ethernet 1 NXR A config if itip address 10 10 10 1 24 NXR A config if itipsec policy 1 NXR A config if itexit NXR A config itexit NXR_A save config 37 235 1 Policy Based IPsec 1 4 X 509 NXR B nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR B NXR B config itinterface ethernet 0 NXR B config if itip address 192 168 20 1 24 NXR B config if itexit NXR B config itip route 0 0 0 0 0 10 10 20 254 NXR B config itipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 NXR B config itipsec x509 enable B config itipsec x509 ca certificate nxr ftp 192 168 20 10 nxrCA pem NXR B config itipsec x509 crl nxr ftp 192 168 20 10 nxrCRL pem B config iti
182. config ipsec tunnel description NXR B 1 NXR B NXR A config ipsec tunnel itnegotiation mode auto IPsec auto NXR_A config ipsec tunnel set transform esp aes128 esp sha1 hmac IPsec esp aes128 esp sha1 hmac NXR _A config ipsec tunnel set pfs group5 PFS Perfect Forward Secrecy DH PFS DH group5 NXR _A config ipsec tunnel set sa lifetime 3600 IPsec SA 3600
183. exchange isakmp 1 NXR B config ipsec tunnel ttmatch address LAN A NXR _B config ipsec tunnel exit NXR B config itinterface ppp 0 _B config ppp ip address 10 10 20 1 32 NXR B config ppp ttip masquerade NXR B config ppp ttip access group in pppO in NXR B config ppp ttip spi filter NXR B config ppp ttip tcp adjust mss auto NXR B config ppp ttno ip redirects 48 235 1 Policy Based IPsec 1 5 PPPoE IPsec NXR B config ppp itppp authentication auto NXR B config ppp ttppp username test2 centurysys password test2pass NXR B config ppp ttipsec policy 1 NXR _B config ppp exit NXR B config itinterface ethernet 1 NXR B config if itno ip address NXR B config if itpppoe client ppp 0 NXR B config if itexit NXR B config itdns NXR_B config dns service enable NXR B config dns itexit NXR B config itexit NXR_B save config NXR C nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR C NXR C config itinterface ethernet 0 NXR C config if itip address 192 168 30 1 24 NXR_C config if exit NXR_C config ip route 0 0 0 0 0 ppp 0 NXR_C config ip access list pppO in permit 10 10 10 1 any 500 500 NXR C config itip access list pppO in permit 10 10 10 1 any 50 NXR C config itipsec access list LAN A ip 192 168 30 0 24 192 168 10 0 24 NXR C config itipsec local policy 1 NXR C c
184. isakmp 1 NXR B config ipsec tunnel ttmatch address LAN A NXR B config ipsec tunnelitexit NXR B config itinterface ethernet 1 NXR B config if itip address dhcp NXR B config if itipsec policy 1 exitNXR B config if itexit NXR B config itexit NXR_B save config 20 235 1 Policy Based IPsec 1 2 IP AggressiveMode NXR A 1 lt gt nxr120 config hostname NXR A NXR_A 2 Ethernet0 gt NXR A config itinterface ethernet 0 NXR A config if itip address 192 168 10 1 24 Ethernet0 IP 192 168 10 1 24 3 gt NXR A config ip route 0 0 0 0 0 10 10 10 254 IP 4 lt IPsec gt NXR_A config ipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 Policy Based IPsec IPsec IPsec ESP
185. isakmp ttdescription NXR B NXR A config ipsec isakmp ttauthentication pre share ipseckey NXR A config ipsec isakmp tthash sha1 NXR _A config ipsec isakmp encryption aes128 NXR A config ipsec isakmp ttgroup 5 NXR A config ipsec isakmp ttlifetime 10800 NXR A config ipsec isakmp ttisakmp mode main NXR _A config ipsec isakmp remote address 10 10 20 1 NXR A config ipsec isakmp ttkeepalive 30 3 periodic restart NXR A config ipsec isakmp ttlocal policy 1 NXR A config ipsec isakmp ttexit NXR A config itipsec tunnel policy 1 NXR A config ipsec tunnel ftdescription NXR B NXR A config ipsec tunnel itnegotiation mode auto NXR _A config ipsec tunnel set transform esp aes128 esp sha1 hmac NXR _A config ipsec tunnel set pfs group5 NXR _A config ipsec tunnel set sa lifetime 3600 NXR _A config ipsec tunnel set key exchange isakmp 1 NXR A config ipsec tunnel itmatch address LAN B NXR_A config ipsec tunnel exit NXR A config finterface tunnel 1 NXR_A config tunnel tunnel mode ipsec ipv4 NXR_A config tunnel tunnel protection ipsec policy 1 NXR _A config tunnel ip tcp adjust mss auto NXR_A config tunnel exit NXR A config itinterface ethernet 1 NXR A config if itip address 10 10 10 1 24 NXR_A config if ipsec policy 1 NXR A config if itexit NXR A config itexit NXR_A save config 71 235 2 Route Based IPsec 2 1 IP MainMode NXR B
186. itexit NXR_B save config NXR C nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR C NXR C config itinterface ethernet 0 NXR C config if itip address 192 168 30 1 24 NXR_C config if exit NXR_O config ip route 192 168 10 0 24 tunnel 1 NXR_C config ip route 0 0 0 0 0 ppp 0 NXR C config itip access list pppO in permit 10 10 10 1 any 500 500 NXR C config itip access list pppO in permit 10 10 10 1 any 50 NXR C config itipsec access list LAN A ip 192 168 30 0 24 192 168 10 0 24 NXR C config itipsec local policy 1 NXR C config ipsec local ftaddress ip NXR C config ipsec local itself identity fqdn nxrc NXR C config ipsec localitexit NXR C config itipsec isakmp policy 1 NXR C config ipsec isakmp ttdescription NXR A NXR C config ipsec isakmp itauthentication pre share ipseckey2 NXR C config ipsec isakmp sthash sha1 NXR C config ipsec isakmp stencryption aes128 NXR C config ipsec isakmp ttgroup 5 NXR C config ipsec isakmp ttlifetime 10800 NXR C config ipsec isakmp ttisakmp mode aggressive NXR C config ipsec isakmp itremote address ip 10 10 10 1 NXR C config ipsec isakmp itkeepalive 30 3 periodic restart NXR C config ipsec isakmp ttlocal policy 1 NXR C config ipsec isakmp itexit 103 235 2 Route Based IPsec 2 5 PPPoE IPsec NXR_O config ipsec tunnel policy 1 NXR _C co
187. itip route 0 0 0 0 0 10 10 10 254 NXR A config tipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 NXR A config itipsec x509 enable NXR A config itipsec x509 ca certificate nxr ftp 192 168 10 10 nxrCA pem NXR A config itipsec x509 crl nxr ftp 192 168 10 10 nxrCRL pem NXR A config itipsec x509 certificate nxra ftp 192 168 10 10 nxraCert pem NXR_A config ipsec x509 private key nxra key ftp 192 168 10 10 nxraKey pem NXR A config itipsec x509 private key nxra password nxrapass NXR A config itipsec local policy 1 NXR A config ipsec local ftaddress ip NXR A config ipsec local itx509 certificate nxra NXR A config ipsec local itself identity dn C JP CN nxra E nxra example com NXR A config ipsec local itexit NXR A config fipsec isakmp policy 1 NXR A config ipsec isakmp ttdescription NXR B NXR _A config ipsec isakmp authentication rsa sig NXR A config ipsec isakmp tthash sha1 NXR _A config ipsec isakmp encryption aes128 NXR A config ipsec isakmp ttgroup 5 NXR A config ipsec isakmp ttlifetime 10800 NXR A config ipsec isakmp ttisakmp mode main NXR _A config ipsec isakmp remote address 10 10 20 1 NXR A config ipsec isakmp itremote identity dn C JP CN nxrb E nxrb example com NXR A config ipsec isakmp ttkeepalive 30 3 periodic restart NXR A config ipsec isakmp ttlocal policy 1 NXR_A config ipsec isakmp exit NXR A config itipsec tunnel policy 1 NXR_A config ipsec tunnel description NXR B NXR A config ipsec tunnel i
188. local address ip IPsec IP IP ipsec policy 1 IP 6 XIPsec ISAKMP gt NXR A config ipsec isakmp policy 1 NXR_B IPsec ISAKMP 1 NXR_A config ipsec isakmp description NXR B ISAKMP 1 NXR B NXR_A config ipsec isakmp authentication pre share ipseckey LT pre share ipseckey NXR 12 235 1 Policy Based IPsec 1 1 IP MainMode NXR A config ipsec isakmp tthash sha1 shal NXR_A config ipsec isakmp encryption aes128 aes128 NXR A config ipsec isakmp ttgroup 5 Diffie Hellman DH
189. local policy 1 netevent 1 reconnect 1 I ipsec tunnel policy 1 description NXR_A set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN_A 1 I interface tunnel 1 217 235 no ip address ip tcp adjust mss auto tunnel mode ipsec ipv4 tunnel protection ipsec policy 1 1 interface ethernet 0 ip address 192 168 20 1 24 1 interface ethernet 1 ip address dhcp ipsec policy 1 dns service enable 1 syslog local enable 1 1 I system led ext 0 signal level mobile 0 1 1 1 I track 1 ip reachability 192 168 10 1 interface tunnel 1 10 3 1 ip route 192 168 10 0 24 tunnel 1 1 Wee access list LAN A ip 192 168 20 0 24 192 168 10 0 24 1 1 end show config 218 235 show config 2 8 IPsec OSPF NXR A Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname _ telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 1 ipsec local policy 1 address ip 1 ipsec isakmp policy 1 description NXR_B authentication pre share ipseckey1 hash sha1 encryption aes128 group 5 isakmp mode main remote address ip 10 10 20 1 local policy 1 1 ipsec isakmp policy 2 description NXR_C authentication pre sha
190. policy 1 NXR B config tunnel itip tcp adjust mss auto NXR B config tunnel ttexit NXR B config itinterface ethernet 1 NXR B config if itip address 192 168 120 1 24 NXR B config if itipsec policy 1 NXR B config if itexit NXR B config itdns NXR B config dns itservice enable NXR B config dns itexit NXR B config itexit NXR_B save config 111 235 2 Route Based IPsec 2 6 IPsec NAT NXR_A 97 1 6 IPsec NAT NXR_A 1 gt NXR_A config ip route 192 168 20 0 24 tunnel 1 IPsec IP IPsec IPsec LAN B NXR B IPsec 1 tunnel 1 2 lt
191. ppp ipsec policy 1 IPsec 1 IPsec 164 235 3 L2TP IPsec 3 3 L2TP IPsec NAT 14 lt ethernet1 gt NXR config interface ethernet 1 ethernetl NXR config if itno ip address ethernet1 IP PPPoE IP PPP PPPoE IP NXR config i pppoe client ppp 0 ethernet ppp0 PPPoE PPP pppoe client 15 lt DNS gt NXR config dns NXR dns config service enable DNS
192. tunnel ftdescription NXR B NXR A config ipsec tunnel itnegotiation mode auto NXR _A config ipsec tunnel set transform esp aes128 esp sha1 hmac NXR _A config ipsec tunnel set pfs group5 NXR _A config ipsec tunnel set sa lifetime 3600 NXR _A config ipsec tunnel set key exchange isakmp 1 NXR A config ipsec tunnel itmatch address LAN B NXR_A config ipsec tunnel exit NXR A config itinterface ethernet 1 NXR A config if itip address 10 10 10 1 24 NXR A config if itipsec policy 1 NXR A config if itexit NXR A config itexit NXR_A save config 21 235 1 Policy Based IPsec 1 3 RSA NXR B nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR B NXR B config itinterface ethernet 0 NXR B config if itip address 192 168 20 1 24 NXR B config if itexit NXR B config itip route 0 0 0 0 0 10 10 20 254 NXR B config itipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 NXR B config itipsec generate rsa sig key 1024 RSA SIG KEY generating NXR B config itexit NXR_B show ipsec rsa pub key RSA public key 0sAQOx8kE6uhZTvWMikunsy3uK5 7jIkTXsCjiQpgo4B X64UAVeuxFQZ3KG3bzyjmyCbpkt0xEiU v1k F4AOAOXoDfgND KAdEky YWqQYzMuuuu2uy K6E9JA24NACufuqMqgGSXc51fJ 6V5Qi9YtVd7TWBkZQ SZJJADBHs YyYD9Q NXR_B configure terminal Enter configuration commands one per line End with CNTL Z N
193. 0 24 Policy Based IPsec IPsec IPsec ESP IP IPsec IPsec LANA IP 192 168 20 0 24 IP 192 168 10 0 24 5 RSA Signature Key gt NXR_B config ipsec generate rsa sig key 1024 IPsec RSA Signature Key 1024bit 32 235 1 Policy Based IPsec 1 3 RSA 6 lt RSA gt NXR_B show ipsec rsa pub key RSA public key 0sAQOx8kE6uhZTvWMikunsy3uK5 7jIkTXsCiQpgo4B X64UAVeuxFQZ3KG3bzyjmyCbpktO0xEiU v1k F4AOAOXoDfgND KAdEky YWqQYzMuuuu2uy K6E9JA24NACufuqMqgGSXc51fJ 6V5Qi9YtVd7TWBkZQ SZJJADBHs YyYD9Q RSA NXR IPsec ISAKMP 7 lt 1 gt NXR B config stipsec local policy 1 IPsec
194. 01 password ios01pass ppp account username test1 centurysys password testlpass 1 ipsec x509 enable ipsec x509 ca certificate nxrCA ipsec x509 certificate nxr ipsec x509 private key nxr key ipsec x509 private key nxr password nxrpass ipsec x509 crl nxrCA 1 I2tp source port 1701 1 I2tpv3 udp source port 40001 1 ipsec local policy 1 address ip x509 certificate nxr 1 ipsec isakmp policy 1 description smartphone authentication rsa sig hash shal encryption aes128 group 5 lifetime 86400 isakmp mode main remote address ip any remote identity dn C JP CN smartphone E smartphone example com local policy 1 1 ipsec tunnel policy 1 description smartphone set transform esp aes128 esp sha1 hmac no set pfs set key exchange isakmp 1 set sa lifetime 28800 match protocol l2tp smartphone 1 I 12 1 tunnel address ipsec tunnel mode Ins tunnel virtual template 0 227 235 interface virtua template 0 ip address 172 16 0 1 32 no ip redirects no ip rebound ip tcp adjust mss auto peer ip pool smartphoneip 1 interface ppp 0 ip address 10 10 10 1 32 no ip redirects ip tcp adjust mss auto ip access group in pppO in ip masquerade ip spi filter ppp username test1 centurysys ipsec policy 1 1 interface ethernet 0 ip address 192 168 10 1 24 1 interface ethernet 1 no ip address pppoe client ppp 0 1 dns service enable 1 syslog local enable access serve
195. 1 gt NXR_A config ipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 Policy Based IPsec IPsec IPsec ESP Route Based IPsec IPsec IKE 2 ID sr Route Based IPsec ESP IPsec lt IPsec LAN B IP 192 168 10 0 24 IP 192 168 20 0 24 3 gt NXR A config itinterface tunnel 1 1 NXR A config tunnel tttunnel mode ipsec ipv4 Route Based IPsec ipsec ipv4 NXR_A config tunnel tunnel protection ipsec policy 1 IPsec
196. 1 NXR _B config ppp exit NXR B config itinterface ethernet 1 NXR B config if itno ip address NXR B config if itpppoe client ppp 0 NXR B config if itexit NXR B config itdns NXR B config dns itservice enable NXR B config dns itexit NXR B config itexit NXR_B save config NXR C nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR C NXR C config itinterface ethernet 0 NXR C config if itip address 192 168 30 1 24 NXR_C config if exit NXR C config itrouter ospf NXR _C config router router id 172 31 0 3 NXR _C config router network 192 168 30 0 24 area 0 NXR C config router itpassive interface ethernet 0 NXR C config router itip route 0 0 0 0 0 ppp 0 NXR C config itip access list pppO in permit 10 10 10 1 500 500 NXR C config itip access list pppO in permit 10 10 10 1 any 50 NXR C config itipsec access list LAN A ip 192 168 30 0 24 192 168 10 0 24 NXR C config itipsec local policy 1 NXR C config ipsec local ftaddress ip NXR C config ipsec local itself identity fqdn nxrc 122 235 2 Route Based IPsec 2 8 IPsec OSPF NXR C config ipsec localitexit NXR C config itipsec isakmp policy 1 NXR C config ipsec isakmp ttdescription NXR A NXR C config ipsec isakmp itauthentication pre share ipseckey2 NXR C config ipsec isa
197. 10 1 24 NXR A config if itexit NXR A config itip route 0 0 0 0 0 10 10 10 254 NXR A config ifipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 NXR A config tipsec local policy 1 NXR A config ipsec local ftaddress ip NXR A config ipsec local itexit NXR A config fipsec isakmp policy 1 NXR A config ipsec isakmp ttdescription NXR B NXR _A config ipsec isakmp authentication pre share ipseckey NXR A config ipsec isakmp tthash sha1 NXR _A config ipsec isakmp encryption aes128 NXR A config ipsec isakmp ttgroup 5 NXR A config ipsec isakmp ttlifetime 10800 NXR A config ipsec isakmp ttisakmp mode aggressive NXR A config ipsec isakmp ttremote address ip any NXR A config ipsec isakmp ttremote identity fqdn nxrb NXR A config ipsec isakmp ttkeepalive 30 3 periodic clear NXR A config ipsec isakmp ttlocal policy 1 NXR A config ipsec isakmp ttexit NXR A config itipsec tunnel policy 1 NXR A config ipsec tunnel ftdescription NXR B NXR _A config ipsec tunnel negotiation mode responder NXR _A config ipsec tunnel set transform esp aes128 esp sha1 hmac NXR _A config ipsec tunnel set pfs group5 NXR _A config ipsec tunnel set sa lifetime 3600 NXR _A config ipsec tunnel set key exchange isakmp 1 NXR A config ipsec tunnel itmatch address LAN B NXR_A config ipsec tunnel exit NXR A config itinterface ethernet 1 NXR A config if itip address 10 10 10 1 24 NXR A config if itipsec policy 1 exiNXR A config if itexit NXR A config ite
198. 10 10 20 254 ip route 192 168 10 0 24 tunnel 1 I ES access list LAN A ip 192 168 20 0 24 192 168 10 0 24 1 1 end zo AE show config 204 235 show config 2 4 X 509 NXR A hostname NXR_A telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 ipsec x509 enable ipsec x509 ca certificate nxr ipsec x509 certificate nxra ipsec x509 private key nxra key ipsec x509 private key nxra password nxrapass ipsec x509 crl nxr 1 ipsec local policy 1 address ip self identity dn C JP CN nxra E nxra example com x509 certificate nxra 1 1 ipsec isakmp policy 1 description NXR B authentication rsa sig hash sha1 encryption aes128 group 5 isakmp mode main remote address ip 10 10 20 1 remote identity dn C JP CN nxrb E nxrb example com local policy 1 1 1 ipsec tunnel policy 1 description set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN B 1 interface tunnel 1 no ip address ip tcp adjust mss auto tunnel mode ipsec ipv4 tunnel protection ipsec policy 1 1 interface ethernet 0 ip address 192 168 10 1 24 1 interface ethernet 1 ip address 10 10 10 1 24 ipsec policy 1 1 Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013
199. 10 10 30 1 PSK lt gt pluto XXXX tunnel1 1 initiating Aggressive Mode 1 connection tunneli pluto XXXX tunnell 1 received Hash Payload does not match computed value pluto XXXX tunnel1 1 sending notification INVALID HASH INFORMATION to 10 10 10 1 500 170 235 IPsec PSK gt 1 ID self identity lt gt pluto XXXX tunnel2 1 10 10 30 1 1 no suitable connection for peer nxr pluto XXXX tunnel2 1 10 10 30 1 1 initial Aggressive Mode packet claiming to be from 10 10 30 1 but no connection has been authorized pluto XXXX tunnel2 1 10 10 30 1 1 sending notification INVALID ID INFORMATION to 10 10 30 1 500 sr isakmp policy remote identity ID self identity lt gt pluto XXXX tunnel1
200. 192 168 20 10 NXR A NXR_B 192 168 10 10 192 168 20 10 CA nxrCA_ pem CA nxrCA pem CRL nxrCRL pem CRL nxrCRL pem A nxraCert pem B nxrbCert pem NXR A nxraKey pem NXR_B nxrbKey pem pem DER PEM 35 235 1 Policy Based IPsec 1 4 X 509 pem DER der cer DES 36 235 1 Policy Based IPsec 1 4 X 509 NXR A n
201. 55 255 255 0 192 168 10 1 192 168 20 1 99 235 2 Route Based IPsec 2 5 PPPoE IPsec 2 5 PPPoE IPsec PPPoE IPsec 1 NXR_A NXR _B NXR_A NXR_C IPsec SPI NAT IP DNS LAN_B 192 168 20 0 24 LAN_A 192 168 10 0 24 0 NXR_B ppp 10 10 20 1 Eth0 192 168 20 1 192 168 20 100 192 168 10 100 ppp0 192 168 10 1 10 10 10 1 LAN C 192 168 30 0 24 wem NXRC Eth0 ppp0 192 168 30 100 IP 192 168 30 1 ia Route Based IPsec Policy Based IPsec
202. 68 20 100 192 168 10 100 ppp0 192 168 10 1 10 10 10 1 LAN C 192 168 30 0 24 wem NXRC Eth0 ppp0 192 168 30 100 IP 192 168 30 1 ia NXR A NXR B ipseckey1 NXR A NXR_C ipseckey2 IPsec NAT IP SPI DNS 46 235 1 Policy Based IPsec 1 5 PPPoE IPsec NXR A nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR A NXR A config itinterface ethernet 0 NXR A config if itip address 192 168 10 1 24 NXR A config if itexit NXR A config itip route 0 0 0 0 0 ppp 0 NXR A config itip access list pppO in permit any 10 10 10 1 udp 500 500 NXR A config itip access list pppO in permit any 10 10 10 1 50 NXR A config fipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 NXR A config itipsec access list LAN C ip 192 168 10 0 24 192 168 30 0 24 NXR A config tipsec local policy 1 NXR A config ipsec local ft
203. 8 10 0 24 192 168 20 0 24 ipsec access list LAN C ip 192 168 10 0 24 192 168 30 0 24 1 1 end show config 220 235 show config NXR B Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname NXR_B telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 1 ipsec local policy 1 address ip 1 I ipsec isakmp policy 1 description NXR_A authentication pre share ipseckey1 hash sha1 encryption aes128 group 5 isakmp mode main remote address ip 10 10 10 1 local policy 1 1 I ipsec tunnel policy 1 description NXR_A set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN_A 1 I interface tunnel 1 ip address 192 168 20 1 32 ip tcp adjust mss auto tunnel mode ipsec ipv4 tunnel protection ipsec policy 1 1 interface ppp 0 ip address 10 10 20 1 32 no ip redirects ip tcp adjust mss auto ip access group in pppO in ip masquerade ip spi filter ppp username test2 centurysys password test2pass ipsec policy 1 1 interface ethernet 0 ip address 192 168 20 1 24 1 interface ethernet 1 no ip address pppoe client ppp 0 1 221 235 show config router ospf router id 172 31 0 2 network 192 168 20 0 24 area 0 passive interface ethernet 0 1 dns service en
204. 92 168 10 0 24 192 168 20 0 24 ipsec access list LAN_C 192 168 10 0 24 192 168 30 0 24 1 1 end NXR B Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname NXR_B telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 1 189 235 1 ipsec local policy 1 address ip 1 ipsec isakmp policy 1 description NXR_A authentication pre share ipseckey1 hash sha1 encryption aes128 group 5 isakmp mode main remote address ip 10 10 10 1 local policy 1 1 I ipsec tunnel policy 1 description NXR_A set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN_A 1 I interface ppp 0 ip address 10 10 20 1 32 no ip redirects ip tcp adjust mss auto ip access group in pppO in ip masquerade ip spi filter ppp username test2 centurysys password test2pass ipsec policy 1 1 interface ethernet 0 ip address 192 168 20 1 24 1 interface ethernet 1 no ip address pppoe client ppp 0 1 dns service enable 1 syslog local enable 1 1 I system led ext 0 signal level mobile 0 il route 0 0 0 0 0 ppp 0 1 ip access list pppO in permit 10 10 10 1 10 10 20 1 udp 500 500 ip access list pppO in permit 10 10 10 1 10 10 20 1 50 1 ipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 1 show config 190 235 show config
205. A NXR _B config ipsec tunnel exit NXR B config finterface tunnel 1 NXR B config tunnel tttunnel mode ipsec ipv4 NXR B config tunnel tttunnel protection ipsec policy 1 NXR B config tunnel ttip tcp adjust mss auto NXR _B config tunnel exit NXR B config itinterface ethernet 1 B config if itip address 10 10 20 1 24 NXR B config if itipsec policy 1 NXR B config if itexit NXR B config itexit NXR_B save config 96 235 2 Route Based IPsec 2 4 X 509 NXR_A 1 4 X 509 NXR A 1 gt NXR_A config ip route 192 168 20 0 24 tunnel 1 IPsec IP IPsec IPsec LAN B NXR B IPsec 1
206. A config itinterface ethernet 1 NXR A config if itno ip address NXR A config if itpppoe client ppp 0 NXR A config if itexit NXR A config itdns NXR A config dns itservice enable NXR A config dns itexit NXR A config itexit NXR_A save config NXR B nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR B NXR B config itinterface ethernet 0 NXR B config if itip address 192 168 20 1 24 NXR B config if itexit NXR B config itip route 192 168 10 0 24 tunnel 1 NXR B config itip route 0 0 0 0 0 ppp 0 NXR B config itip access list pppO in permit 10 10 10 1 10 10 20 1 udp 500 500 NXR B config itip access list pppO in permit 10 10 10 1 10 10 20 1 50 NXR B config itipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 NXR B config itipsec local policy 1 NXR B config ipsec local ftaddress ip NXR B config ipsec local itexit NXR B config fipsec isakmp policy 1 NXR B config ipsec isakmp ttdescription NXR A _B config ipsec isakmp authentication pre share ipseckey1 NXR B config ipsec isakmp tthash sha1 NXR _B config ipsec isakmp encryption aes128 NXR B config ipsec isakmp ttgroup 5 NXR B config ipsec isakmpj ttlifetime 10800 B config ipsec isakmp ttisakmp mode main NXR _B config ipsec isakmp remote address ip 10 10 10 1 NXR B config ipsec isakmp ttkeepalive 30 3 periodic restart NXR B config ipsec isakmp ttlocal policy 1 NXR
207. B config if ip address 192 168 120 1 24 Ethernet IPv4 10 10 20 1 24 NXR_B config if ipsec policy 1 IPsec IPsec IPsec 1 10 lt DNS gt NXR _B config dns NXR_B dns config service enable DNS LAN A LAN B IP 192 168 10 100 192 168 20 100 255 255 255 0 255 255 255 0 192 168 10 1 192 168 20 1 74 235 2 Route Based IPsec 2 Route Based IPsec 75 235 2 Route Based IPsec IP MainMode 1 IP MainMode LAN A 192 168 10 0 24 amp LAN B 192 168 20 0 24 NXR A NXR B IPsec LAN IPsec WAN fl IP
208. B config ipsec isakmp ttexit NXR B config itipsec tunnel policy 1 NXR B config ipsec tunnel itdescription NXR A NXR B config ipsec tunnel itnegotiation mode auto 102 235 2 Route Based IPsec 2 5 PPPoE IPsec NXR _B config ipsec tunnel set transform esp aes128 esp sha1 hmac NXR _B config ipsec tunnel set pfs group5 NXR _B config ipsec tunnel set sa lifetime 3600 NXR _B config ipsec tunnel set key exchange isakmp 1 NXR B config ipsec tunnel ttmatch address LAN A NXR _B config ipsec tunnel exit NXR B config finterface tunnel 1 NXR B config tunnel tttunnel mode ipsec ipv4 NXR B config tunnel tttunnel protection ipsec policy 1 NXR B config tunnel ttip tcp adjust mss auto NXR _B config tunnel exit NXR B config itinterface ppp 0 address 10 10 20 1 32 NXR B config ppp ttip masquerade NXR B config ppp ttip access group in pppO in NXR B config ppp ttip spi filter NXR B config ppp ttip tcp adjust mss auto NXR B config ppp ttno ip redirects NXR B config ppp itppp authentication auto NXR B config ppp itppp username test2 centurysys password test2pass B config ppp ttipsec policy 1 NXR _B config ppp exit NXR B config itinterface ethernet 1 NXR B config if itno ip address NXR B config if itpppoe client ppp 0 NXR B config if itexit NXR B config itdns NXR B config dns itservice enable NXR B config dns itexit NXR B config
209. FutureNet NXR WXR IPsec Ver 1 1 0 CENTURY SYSTEMS EES 2 3 4 NB Seid Lee eiit da tao vete boletos rs 5 Policy Based IEn t vr adi ar uc tapar duce Das hata ddp du 8 1 1 IP MainMode kk 9 1 2 IP AggressiveMode kk 17 1 3 RSA kk 26 1 4 X 509 35 1 5 PPPoE IPsec Riesch 46 1 6 i TENN A N E E a ET 65 2 Route Based IPsec iii 75 2 1 IP MainMode OO SUP een 76 2 2 ITP AggressiveMode o ossssiissssiissssiisssstesssstesssseessrreessreessrreess 82 2 3 kk 88 2 4 X 509 94 2 5 PPPOE IPsec gt 100 2 6 IPsec NAT a A E E 109 2 7 IPsec
210. I 12 1 tunnel address ipsec tunnel mode Ins tunnel virtual template 0 1 interface virtual template 0 ip address 172 16 0 1 32 no ip redirects no ip rebound ip tcp adjust mss auto peer ip pool smartphoneip 1 interface ppp 0 225 235 ip address 10 10 10 1 32 no ip redirects ip tcp adjust mss auto ip access group in pppO in ip masquerade ip spi filter ppp username test1 centurysys ipsec policy 1 1 interface ethernet 0 ip address 192 168 10 1 24 1 interface ethernet 1 no ip address pppoe client ppp 0 1 dns service enable 1 syslog local enable 1 I access server profile 0 ppp username android01 ip 172 16 0 10 1 access server profile 1 ppp username ios01 ip 172 16 0 11 1 1 system led ext 0 signal level mobile 0 iB route 0 0 0 0 0 ppp 0 1 ip local pool smartphoneip address 172 16 0 10 172 16 0 11 1 ip access list pppO in permit any 10 10 10 1 udp 500 500 ip access list pppO in permit any 10 10 10 1 50 1 end show config 226 235 show config 3 2 L2TP IPsec CRT NXR Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname NXR telnet server enable http server enable ipv6 forwarding no fast forwarding enable I ppp account username android01 password android01pass ppp account username ios
211. ID INFORMATION 171 235 IPsec 8 ipsec access list gt PFS PFS lt gt pluto XXXX tunnel2 1 10 10 30 1 1 responding to Aggressive Mode from unknown peer 10 10 30 1 pluto XXXX tunnel2 1 10 10 30 1 1 ISAKMP SA established pluto XXXX tunnel2 1 10 10 30 1 1 Dead Peer Detection 3706 enabled pluto XXXX tunnel2 1 10 10 30 1 2 we require PFS but Quick I1 SA specifies no GROUP DESCRIPTION pluto XXXX tunnel2 1 10 10 30 1 2 sending encrypted notification NO PROPOSAL CHOSEN to 10 10 30 1 500 s ipsec tunnel policy set pfs lt gt pluto XXXX tunnel1 1 initiating Aggressive Mode 1 connection tunneli pluto XXXX tunnel1 1 sent AI2 ISAKMP SA established pluto XXXX tunnel1 1 Dead Peer Detection 3706 enabled pluto XXXX tunnel1 2 initiating Quick Mode PSK ENCRYPT TUNNEL UP 0x4000000 using isakmp 1 pluto XXXX tunnell 1 ignoring informational payload type NO_PROPO
212. LAN_A 1 I interface tunnel 1 no ip address ip tcp adjust mss auto tunnel mode ipsec ipv4 tunnel protection ipsec policy 1 1 197 235 interface ethernet 0 ip address 192 168 20 1 24 1 interface ethernet 1 ip address 10 10 20 1 24 ipsec policy 1 dns service enable 1 syslog local enable 1 1 system led ext 0 signal level mobile 0 ip route 192 168 10 0 24 tunnel 1 ip route 0 0 0 0 0 10 10 20 254 1 ipsec access list LAN_A ip 192 168 20 0 24 192 168 10 0 24 1 1 1 end zo AE show config 198 235 show config 2 2 IP AggressiveMode NXR A hostname NXR_A telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 1 ipsec local policy 1 address ip 1 ipsec isakmp policy 1 description NXR B authentication pre share ipseckey keepalive 30 3 periodic clear hash shal encryption aes128 group 5 isakmp mode aggressive remote address ip any remote identity fqdn nxrb local policy 1 1 I ipsec tunnel policy 1 description NXR_B negotiation mode responder set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN_B 1 I interface tunnel 1 no ip address ip tcp adjust mss auto tunnel mode ipsec ipv4 tunnel protection ipsec policy 1 1 interface et
213. NXR A IPsec ISAKMP 1 ISAKMP 1 NXR_A LT rsa sig NXR_A NXR WAN IP 10 10 10 1 NXR identity ID nxra fqdn NXR_A 8 IPsec ISAKMP gt 33 235 1 Policy Based IPsec 1 3 RSA 9 lt IPsec gt NXR B config itipsec tunnel policy 1 B config ipsec tunneD description NXR A NXR_B config ipsec tunnel negotiation mode auto B config ipsec tunneDset transform esp aes128 esp sha1 hmac B config ipsec tunneD set pfs group5 NXR _B config ipsec tunnel set sa lifetime 3600 NXR B config ipsec tunnel itset key exchange isakmp 1 NXR_B config ipsec tunnel match address LAN A NXR A IPsec
214. NXR A config ipsec isakmp ttisakmp mode main 1 X 509 NXR A config ipsec isakmp ttremote address ip 10 10 20 1 NXR WAN IP NXR WAN IP 10 10 20 1 LEF NXR A config ipsec isakmp ttremote identity dn C JP CN nxrb E nxrb example com NXR identity NXR identity DN Distinguished Name NXR DN subject C JP CN nxrb E nxrb example com X 509 identity NXR A config ipsec isakmp ttkeepalive 30 3 periodic restart IKE KeepAlive DPD DPD Dead Peer Detection ISAKMP SA NXR WAN SA SA
215. NXR A config ipsec isakmp ttremote identity fqdn nxrc NXR A config ipsec isakmp ttkeepalive 30 3 periodic clear NXR A config ipsec isakmp ttlocal policy 1 NXR_A config ipsec isakmp exit NXR A config ifipsec tunnel policy 2 120 235 2 Route Based IPsec 2 8 IPsec OSPF NXR A config ipsec tunnel itdescription NXR C NXR _A config ipsec tunnel negotiation mode responder NXR A config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR _A config ipsec tunnel set pfs group5 NXR A config ipsec tunnelDtset sa lifetime 3600 NXR _A config ipsec tunnel set key exchange isakmp 2 NXR A config ipsec tunnel ttmatch address LAN C NXR _A config ipsec tunnel exit NXR A config tinterface tunnel 2 NXR A config tunnel tip address 192 168 10 1 32 NXR A config tunnel ttunnel mode ipsec ipv4 NXR A config tunnel tttunnel protection ipsec policy 2 NXR A config tunnel itip tcp adjust mss auto NXR _A config tunnel exit NXR A config itinterface ppp 0 NXR A config ppp tip address 10 10 10 1 32 NXR A config ppp ttip masquerade NXR A config ppp ttip access group in pppO in NXR A config ppp ttip spi filter NXR A config ppp ttip tcp adjust mss auto NXR A config ppp ttno ip redirects NXR A config ppp itppp authentication auto NXR A config ppp ttppp username test1 centurysys password test1pass NXR A config ppp ttipsec policy 1 NXR_A config p
216. NXR config 2tp tunnel mode Ins L2TPv2 LNS NXR config I2tp ttunnel address any ipsec IP any any IPsec IPsec SA 163 235 3 L2TP IPsec 3 3 L2TP IPsec NAT NXR config I2tp sttunnel virtua template 0 LNS virtual template 0 13 lt WAN ppp0 gt NXR config tinterface ppp 0 WAN ppp0 NXR config ppp itip address 10 10 10 1 32 IP 10 10 10 1 32 NXR config ppp ftip masquerade IP NXR config ppp ftip access group pppO in IP pppO in in ppp0 NXR IP
217. P gt 8 lt IPsec gt NXR B config ifipsec tunnel policy 1 B config ipsec tunneD description NXR_A NXR_B config ipsec tunnel negotiation mode auto B config ipsec tunnel set transform esp aes128 esp shal hmac B config ipsec tunneD set pfs group5 NXR _B config ipsec tunnel set sa lifetime 3600 NXR B config ipsec tunnel itset key exchange isakmp 1 NXR B config ipsec tunnel ttmatch address LAN NXR A IPsec 1 1 NXR A IPsec LAN_A NXR_A 13 IPsec gt 9 lt Ethernet1 gt NXR_B config interface ethernet 1 NXR B config if itip address 10 10 20 1 24 Ethernet IP 10 10 20 1 24 NXR_B config if ipsec policy 1 IPsec IPsec
218. Psec IPSec NXR L2TP IPsec CRT L2TP IPSec RSA 10 10 10 1 NXR WAN IP L2TP IPSec nxr L2TP IPsec IPSecCA nxr L2TP IPsec IPSec 6 VPN NXR L2TP IPsec CRT NXR L2TP IPsec CRT VPN NXR L2TP IPsec CRT L2TP IPSec VPN VPN 154 235 3 L2TP IPsec 3 2 L2TP IPsec CRT 7 L2TP IPsec PPP Ej gn android01
219. R C config itip route 0 0 0 0 0 ppp 0 ppp 4 lt IP gt NXR O config ip access list 0 permit 10 10 10 1 500 500 NXR O config ip access list ppp0_in permit 10 10 10 1 any 50 IP ppp0_in IP 10 10 10 1 UDP 500 UDP 500 IP 10 10 10 1 50 ESP IP ppp0 S IP UDP 500 50 ESP IPsec 5 XIPsec
220. SAL CHOSEN m ipsec tunnel policy set pfs 172 235 L2TP IPsec L2TP IPsec e L2TP IPsec IPsec L2TP PPP IPsec show ipsec status brief lt gt NXR show ipsec status brief TunnelName Status tunnel1 up IPsec SA IPsec established up down IP IPsec SA show ipsec status show ipsec status tunnel lt gt tunnel
221. State established PPP show ppp lt gt NXR show ppp PPP100 session state is connected line type is L2TP LNS time since change 00 00 21 See also show 2tp command 173 235 L2TP IPsec e L2TP IPsec lt gt pluto XXXX pluto XXXX pluto XXXX pluto XXXX pluto XXXX pluto XXXX pluto XXXX I2tp XXXX L2TP Session Established I2tp XXXX I2tp XXXX I2tp XXXX pppd XXXX L2TPv2 plugin loaded pppd XXXX pppd 2 4 4 started pppd XXXX Using interface ppp100 pppd XXXX Connect ppp100 lt gt Local pluto XXXX packet from 10 10 20 10 500 pluto XXXX packet from 10 10 20 10 500 pluto XXXX packet from 10 10 20 10 500 pluto XXXX packet from 10 10 20 10 500 pluto XXXX packet from 10 10 20 10 500 pluto XXXX packet from 10 10 20 10 500 pluto XXXX packet from 10 10 20 10 500 pluto XXXX packet from 10 10 20 10 500 pluto XXXX packet from 10 10 20 10 500 pluto XXXX packet from 10 10 20 10 500 pluto XXXX packet from 10 10 20 10 500 packet from 10 10 20 10 500 tunnell 1 10 10 20 10 1 tunnell 1 10 10 20 10 1 tunnell 1 10 10 20 10 1 tunnell 1 10 10 20 10 1 tun
222. T NXR L2TP IPsec IPsec 192 168 10 0 24 Android IP Eho NES ppp0 192 168 10 100 192 168 10 1 1010101 IP 1IP 2 IP ID IP IP IP NXR LAN virtua template 0 157 235 3 L2TP IPsec 3 3 L2TP IPsec NAT NXR nxr120 configure termina Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR NXR config tinterface ethernet 0 NXR config if tip address 192 168 10 1 24 NXR config if itexit NXR config itip route 0 0 0 0 0 ppp 0 NXR config tip access list pppO in permit any 10 10 10 1 udp any 500
223. VPN NXR VPN IPsec LAN_A 192 168 10 0 24 Android Eth0 192 168 10 100 192 168 10 1 1010401 iOS L2TP IPsec IPsec L2TP virtua template RAS IPsec L2TP L2TPv2 LNS virtua template IP IP 2 IP IP 2 DD IP 130 235 3 L2TP IPsec 3 1 L2TP IPsec NXR nxr120 configure termina Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR NXR config tinterface ether
224. XR B config tipsec local policy 1 NXR B config ipsec local ftaddress ip NXR _B config ipsec local self identity fqdn nxrb NXR B config ipsec local ttexit NXR B config fipsec isakmp policy 1 NXR B config ipsec isakmp ttdescription NXR A B config ipsec isakmp fauthentication rsa sig 0sAQNe9Ghb4CNEaJully67aSxECLJD HhvndH1opuMs6P8yGiTNIcGeSOQ8XEy8iYTst2bv022XUxSt37RhOR5IRiY1i83TXkQZbhnJDCNJv rt X aro745MbJ9auXT1L5tda4C54S7SELboAtU28sD3si0OwlzLWtE7yRUqLP4ZiiNMw NXR B config ipsec isakmp tthash sha1 NXR _B config ipsec isakmp encryption aes128 NXR B config ipsec isakmp ttgroup 5 NXR B config ipsec isakmpj ttlifetime 10800 NXR B config ipsec isakmp ttisakmp mode main NXR B config ipsec isakmp ttremote address ip 10 10 10 1 NXR _B config ipsec isakmp remote identity fqdn nxra NXR B config ipsec isakmp ttkeepalive 30 3 periodic restart NXR B config ipsec isakmp ttlocal policy 1 NXR B config ipsec isakmp ttexit NXR B config itipsec tunnel policy 1 NXR B config ipsec tunnel itdescription NXR A NXR B config ipsec tunnel itnegotiation mode auto NXR B config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR _B config ipsec tunnel set pfs group5 NXR _B config ipsec tunnel set sa lifetime 3600 NXR _B config ipsec tunnel set key exchange isakmp 1 NXR B config ipsec tunnel ttmatch address LAN A NXR B config ipsec tunnel itexit NXR B config itinterface ethernet 1 NXR B config if itip address 10 10 20 1 24 NXR B confi
225. XR _A config ipsec tunnel set key exchange isakmp 1 NXR A config ipsec tunnel itmatch address LAN B NXR_A config ipsec tunnel exit NXR A config finterface tunnel 1 NXR A config tunnel tino ip address NXR A config tunnel tttunnel mode ipsec ipv4 NXR A config tunnel tttunnel protection ipsec policy 1 NXR A config tunnel ttip tcp adjust mss auto NXR A config tunnel ttexit NXR A config tinterface ppp 0 NXR A config ppp ftip address 10 10 10 1 32 NXR A config ppp ttip masquerade NXR A config ppp ttip access group in pppO in NXR A config ppp ttip spi filter NXR A config ppp ttip tcp adjust mss auto NXR A config ppp ttno ip redirects NXR A config ppp ttppp authentication auto NXR A config ppp ttppp username test1 centurysys password test1pass NXR A config ppp ttipsec policy 1 NXR_A config ppp exit NXR A config itinterface ethernet 1 NXR A config if itno ip address NXR A config if itpppoe client ppp 0 NXR A config if itexit NXR A config itdns 110 235 2 Route Based IPsec 2 6 IPsec NAT NXR_A config dns service enable NXR A config dns itexit NXR A config itexit NXR_A save config NXR B nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR B NXR B config itinterface ethernet 0 NXR B config if itip address 192 168 20 1 24 NXR B config if itexit NXR B config itip rou
226. XR _A config tunnel tunnel protection ipsec policy 1 IPsec IPsec 1 ipsec policy 1 S IPsec NXR A config tunnel ttip tcp adjust mss auto TCP MSS TCP MSS TCP MSS TCP 79 235 2 Route Based IPsec 2 1 IP MainMode NXR B 1 1 IP MainMode 1 gt NXR_B config ip route 192 168 10 0 24 tunnel 1 IPsec IP
227. a1 NXR _B config ipsec isakmp encryption aes128 NXR B config ipsec isakmp ttgroup 5 NXR B config ipsec isakmp ttisakmp mode aggressive NXR B config ipsec isakmp ttremote address ip 10 10 10 1 NXR B config ipsec isakmp ttkeepalive 30 3 periodic restart NXR B config ipsec isakmp ttlocal policy 1 NXR B config ipsec isakmp ttexit NXR B config tipsec tunnel policy 1 NXR B config ipsec tunnel itdescription NXR A NXR B config ipsec tunnel itnegotiation mode auto NXR B config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR _B config ipsec tunnel set pfs group5 NXR _B config ipsec tunnel set key exchange isakmp 1 NXR_B config ipsec tunnel match address LAN A NXR _B config ipsec tunnel exit NXR B config finterface tunnel 1 NXR B config tunnel tttunnel mode ipsec ipv4 NXR B config tunnel tttunnel protection ipsec policy 1 NXR B config tunnel ttip tcp adjust mss auto NXR _B config tunnel exit NXR B config itinterface ethernet 1 NXR B config if itip address dhcp NXR B config if itipsec policy 1 NXR B config if itexit NXR B config itexit NXR_B save config 84 235 2 Route Based IPsec 2 2 IP AggressiveMode NXR A 1 2 IP AggressiveMode NXR_A
228. able 1 syslog local enable 1 1 I system led ext 0 signal level mobile 0 e route 0 0 0 0 0 ppp 0 1 ip access list pppO in permit 10 10 10 1 10 10 20 1 udp 500 500 ip access list pppO in permit 10 10 10 1 10 10 20 1 50 1 ipsec access list LAN_A ip 192 168 20 0 24 192 168 10 0 24 1 1 1 end NXR C Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname NXR_C telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 1 ipsec local policy 1 address ip self identity fqdn nxrc 1 ipsec isakmp policy 1 description NXR_A authentication pre share Ipseckey2 hash shal encryption aes128 group 5 isakmp mode aggressive remote address ip 10 10 10 1 222 235 local policy 1 1 ipsec tunnel policy 1 description NXR_A set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN_A 1 interface tunnel 1 ip address 192 168 30 1 32 ip tcp adjust mss auto tunnel mode ipsec ipv4 tunnel protection ipsec policy 1 1 interface ppp 0 ip address negotiated no ip redirects ip tcp adjust mss auto ip access group in pppO in ip masquerade ip spi filter ppp username test3 centurysys password test3pass ipsec policy 1 1 interface ethernet 0 ip address 192 168 30 1 24 1 interface ethernet 1 no ip address pppoe client ppp 0 1 router ospf router id 172 31 0 3 netwo
229. address ip NXR A config ipsec local itexit NXR A config fipsec isakmp policy 1 NXR A config ipsec isakmp ttdescription B NXR A config ipsec isakmp ttauthentication pre share ipseckey1 NXR A config ipsec isakmp tthash sha1 NXR _A config ipsec isakmp encryption aes128 NXR A config ipsec isakmp ttgroup 5 NXR A config ipsec isakmp ttlifetime 10800 NXR A config ipsec isakmp ttisakmp mode main NXR _A config ipsec isakmp remote address 10 10 20 1 NXR A config ipsec isakmp ttkeepalive 30 3 periodic restart NXR A config ipsec isakmp ttlocal policy 1 NXR_A config ipsec isakmp exit NXR A config itipsec tunnel policy 1 NXR_A config ipsec tunnel description NXR B NXR _A config ipsec tunnel negotiation mode auto NXR A config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR _A config ipsec tunnel set pfs group5 NXR _A config ipsec tunnel set sa lifetime 3600 NXR _A config ipsec tunnel set key exchange isakmp 1 NXR_A config ipsec tunnel match address LAN B NXR A config ipsec tunnelitexit NXR A config ifipsec isakmp policy 2 NXR A config ipsec isakmp ttdescription NXR C NXR_A config ipsec isakmp authentication pre share ipseckey2 NXR A config ipsec isakmp tthash sha1 NXR _A config ipsec isakmp encryption aes128 NXR A config ipsec isakmp ttgroup 5 NXR A config ipsec isakmp ttlifetime 10800 NXR A config ipsec isakmp ttisakmp mode aggressive NXR A config ipsec isakmp ttremote address ip any NXR A config ipse
230. adjust mss auto NXR _A config tunnel exit NXR A config itinterface ethernet 1 NXR A config if itip address 10 10 10 1 24 NXR A config if itipsec policy 1 NXR A config if itexit NXR A config itexit NXR_A save config 89 235 2 Route Based IPsec 2 3 RSA NXR B nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR B NXR B config itinterface ethernet 0 NXR B config if itip address 192 168 20 1 24 NXR B config if itexit NXR B config itip route 192 168 10 0 24 tunnel 1 NXR B config itip route 0 0 0 0 0 10 10 20 254 NXR B config itipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 NXR B config itipsec generate rsa sig key 1024 RSA SIG KEY generating NXR B config itexit NXR_B show ipsec rsa pub key RSA public key OsAQOx8kEGuhZTvWMikunsy3uK5 7jIKTXsCjQpgo4B X64UAVeuxFQZ3KG3bzyjmyCbpktOxEiU v 1k F4AOAOXoDfgND KAdEky YWqQYzMuuuu2uy K6E9JA24NACufuqMqgGSXc51fJ 6V5Qi9YtVd7TWBkZQ SZJJADBHs YyYD9Q NXR_B configure terminal Enter configuration commands one per line End with CNTL Z B config itipsec local policy 1 NXR B config ipsec local ftaddress ip NXR B config ipsec local itself identity fqdn nxrb NXR B config ipsec local ttexit NXR B config fipsec isakmp policy 1 NXR B config ipsec isakmp ttdescription NXR A B config ipsec isakmp ftau
231. al Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR B NXR B config itinterface ethernet 0 NXR B config if itip address 192 168 20 1 24 NXR B config if itexit NXR B config itip route 0 0 0 0 0 ppp 0 NXR B config itip access list pppO in permit 10 10 10 1 10 10 20 1 udp 500 500 NXR B config itip access list pppO in permit 10 10 10 1 10 10 20 1 50 NXR B config itipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 NXR B config itipsec local policy 1 NXR B config ipsec local ftaddress ip NXR B config ipsec local itexit NXR B config fipsec isakmp policy 1 NXR B config ipsec isakmp ttdescription NXR A NXR _B config ipsec isakmp authentication pre share ipseckey1 NXR B config ipsec isakmp tthash sha1 NXR _B config ipsec isakmp encryption aes128 NXR B config ipsec isakmp ttgroup 5 NXR B config ipsec isakmpj ttlifetime 10800 B config ipsec isakmp ttisakmp mode main NXR B config ipsec isakmp ttremote address ip 10 10 10 1 NXR B config ipsec isakmp ttkeepalive 30 3 periodic restart NXR B config ipsec isakmp ttlocal policy 1 NXR B config ipsec isakmp ttexit NXR B config itipsec tunnel policy 1 NXR B config ipsec tunnel itdescription NXR A NXR B config ipsec tunnel itnegotiation mode auto NXR _B config ipsec tunnel set transform esp aes128 esp sha1 hmac NXR _B config ipsec tunnel set pfs group5 NXR _B config ipsec tunnel set sa lifetime 3600 NXR _B config ipsec tunnel set key
232. artphone nat traversal 1 I 12 1 tunnel address ipsec tunnel mode Ins tunnel virtual template 0 1 interface virtual template 0 ip address 192 168 10 1 32 no ip redirects no ip rebound ip tcp adjust mss auto peer ip proxy arp peer ip pool smartphoneip 229 235 interface ppp 0 ip address 10 10 10 1 32 no ip redirects ip tcp adjust mss auto ip access group in pppO in ip masquerade ip spi filter ppp username test1 centurysys ipsec policy 1 1 interface ethernet 0 ip address 192 168 10 1 24 1 interface ethernet 1 no ip address pppoe client ppp 0 1 dns service enable 1 syslog local enable 1 1 I system led ext 0 signal level mobile 0 ip route 0 0 0 0 0 ppp 0 1 ip local pool smartphoneip address 192 168 10 10 192 168 10 11 1 ip access list pppO in permit any 10 10 10 1 udp any 500 ip access list pppO in permit any 10 10 10 1 udp any 4500 1 1 end show config 230 235 231 235
233. assword test3pass NXR_C config ppp psec policy 1 49 235 1 Policy Based IPsec 1 5 PPPoE IPsec NXR C config ppp ttexit NXR C config itinterface ethernet 1 NXR_C config if no ip address NXR C config if itpppoe client ppp 0 NXR C config if itexit NXR_C config dns NXR_O config dns service enable NXR_O config dns exit NXR_O config exit NXR_C save config 50 235 1 Policy Based IPsec 1 5 PPPoE IPsec NXR A 1 lt gt nxr120 config hostname NXR A NXR A 2 Ethernet0 gt NXR A config itinterface ethernet 0 NXR A config if itip address 192 168 10 1 24 Ethernet0 IP 192 168 10 1 24 3 gt NXR A config itip route 0 0 0 0 0 ppp 0 PPPoE ppp 4 lt IP gt NXR_A config ip access list ppp0 in permit any 10 10 10 1 500 500 NXR_A config ip access list pppO permit a
234. auto TCP MSS TCP MSS TCP MSS TCP 91 235 2 Route Based IPsec 2 3 RSA NXR B 1 3 RSA NXR_B 1 gt NXR_B config ip route 192 168 10 0 24 tunnel 1 IPsec IP IPsec IPsec LAN A NXR A IPsec 1 tunnel 1 2 l
235. c 2 7 IPsec NXR Ping Ping IPsec LAN_A 192 168 10 0 24 LAN_B 192 168 20 0 24 NXR_A Eth0 10 10 10 254 10 10 20 254 A 192 168 10 100 we 168 10 1 10 10 10 1 DHCP 192 20 1 168 20 100 IP Ping 192 168 10 1 10 2 up down Ping IPsec IPsec ISAKMP
236. c PSK L2TP IPSec VPN VPN 140 235 3 L2TP IPsec 3 1 L2TP IPsec 7 L2TP IPsec PPP EIU android01 8 VPN VPN VPN L2TP IPsec PSK VPN 141 235 3 L2TP IPsec 3 1 L2TP IPsec iOS 105 iOS iOS 1
237. c isakmp ttremote identity fqdn nxrb NXR A config ipsec isakmp ttkeepalive 30 3 periodic clear NXR A config ipsec isakmp ttlocal policy 1 NXR_A config ipsec isakmp exit NXR A config itipsec tunnel policy 1 NXR A config ipsec tunnel tdescription NXR B NXR _A config ipsec tunnel negotiation mode responder NXR A config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR _A config ipsec tunnel set pfs group5 NXR _A config ipsec tunnel set sa lifetime 3600 NXR _A config ipsec tunnel set key exchange isakmp 1 NXR_A config ipsec tunnel match address LAN B NXR_A config ipsec tunnel exit NXR A config itinterface ppp 0 NXR_A config ppp ip address 10 10 10 1 32 NXR_A config ppp ip masquerade NXR A config ppp ttip access group in pppO in NXR A config ppp ttip spi filter NXR A config ppp ttip tcp adjust mss auto NXR A config ppp ttno ip redirects NXR A config ppp ttppp authentication auto NXR A config ppp ttppp username test1 centurysys password test1pass NXR A config ppp ttipsec policy 1 NXR_A config ppp exit NXR A config itinterface ethernet 1 NXR A config if itno ip address NXR A config if itpppoe client ppp 0 NXR A config if itexit NXR A config itdns NXR_A config dns service enable NXR A config dns itexit NXR A config itexit NXR_A save config 66 235 1 Policy Based IPsec 1 6 IPsec NAT NXR B nxr120 configure terminal
238. c isakmp ttremote identity fqdn nxrc NXR A config ipsec isakmp ttkeepalive 30 3 periodic clear NXR A config ipsec isakmp ttlocal policy 1 NXR_A config ipsec isakmp exit NXR A config ifipsec tunnel policy 2 NXR A config ipsec tunnel itdescription NXR C NXR_A config ipsec tunnel negotiation mode responder NXR _A config ipsec tunnel set transform esp aes128 esp sha1 hmac NXR _A config ipsec tunnel set pfs group5 NXR _A config ipsec tunnel set sa lifetime 3600 NXR _A config ipsec tunnel set key exchange isakmp 2 NXR A config ipsec tunnel ttmatch address LAN C NXR _A config ipsec tunnel exit NXR A config itinterface ppp 0 NXR A config ppp fip address 10 10 10 1 32 NXR A config ppp ttip masquerade 41 235 1 Policy Based IPsec 1 5 PPPoE IPsec NXR A config ppp ttip access group in pppO in NXR A config ppp ttip spi filter NXR A config ppp ttip tcp adjust mss auto NXR A config ppp ttno ip redirects NXR A config ppp ttppp authentication auto NXR A config ppp itppp username test1 centurysys password test1pass NXR A config ppp ttipsec policy 1 NXR_A config ppp exit NXR A config itinterface ethernet 1 NXR A config if itno ip address NXR_A config if pppoe client ppp 0 NXR A config if itexit NXR A config itdns NXR A config dns itservice enable NXR A config dns itexit NXR A config itexit NXR_A save config NXR B nxr120 configure termin
239. c tunnel description NXR A 1 NXR_A NXR B config ipsec tunnel itnegotiation mode auto 58 235 1 Policy Based IPsec 1 5 PPPoE IPsec IPsec auto NXR_B config ipsec tunnel set transform esp aes128 esp sha1 hmac IPsec esp aes128 esp sha1 hmac NXR _B config ipsec tunnel set pfs group5 PFS Perfect Forward Secrecy DH PFS DH group5 NXR _B config ipsec tunnel set sa lifetime 3600 IPsec SA
240. c tunnel set sa lifetime 3600 IPsec SA 3600 NXR _A config ipsec tunnel set key exchange isakmp 1 ISAKMP ISAKMP 1 70 235 1 Policy Based IPsec 1 6 IPsec NAT NXR _A config ipsec tunnel match address LAN B IPsec IPsec LAN B 10 lt ppp0 gt NXR A config tinterface ppp 0 NXR_A config ppp ip address 10 10 10 1 32 NXR_A config ppp ip masquerade NXR A config ppp ip access group in pppO in NXR A config ppp ttip spi filter NXR A config ppp tip tcp adjust mss auto NXR A config ppp ttno ip redirects NXR A config ppp itppp authentication auto NXR A config ppp tppp username test1 centurysys password test1pass NXR A config ppp fipsec policy 1 ppp0 IP IP 10 10 10 1 32 IP NAT
241. cryption aes128 group 5 isakmp mode main remote address ip 10 10 20 1 local policy 1 1 ipsec tunnel policy 1 description set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN_B 1 I interface tunnel 1 no ip address ip tcp adjust mss auto tunnel mode ipsec ipv4 tunnel protection ipsec policy 1 1 interface ethernet 0 ip address 192 168 10 1 24 1 interface ethernet 1 ip address 10 10 10 1 24 ipsec policy 1 dns service enable 1 syslog local enable 1 1 1 system led ext 0 signal level mobile 0 Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 196 235 show config ip route 192 168 20 0 24 tunnel 1 ip route 0 0 0 0 0 10 10 10 254 1 EY access list LAN_B ip 192 168 10 0 24 192 168 20 0 24 1 1 1 end NXR B Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname NXR_B telnet server enable http server enable 1 ipv6 forwarding no fast forwarding enable 1 1 ipsec local policy 1 address ip 1 ipsec isakmp policy 1 description NXR_A authentication pre share ipseckey hash shal encryption aes128 group 5 isakmp mode main remote address ip 10 10 10 1 local policy 1 1 I ipsec tunnel policy 1 description NXR_A set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address
242. ed IPsec 1 2 Sg IP AggressiveMode NXR B 1 lt gt nxr120 config hostname NXR B NXR B 2 Ethernet0 gt NXR_B config interface ethernet 0 NXR_B config if ip address 192 168 20 1 24 Ethernet0 IP 192 168 20 1 24 3 lt IPsec gt B config tipsec access list ip 192 168 20 0 24 192 168 10 0 24 Policy Based IPsec IPsec IPsec ESP IP IPsec IPsec LAN_A IP 192 168 20 0 24 IP 192 168 10 0 24 4 XIPsec gt B config itipsec local policy 1 IPsec 1 NXR_B config ipsec local address ip IPsec IP
243. entury Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname NXR_B telnet server enable http server enable 1 ipv6 forwarding no fast forwarding enable 1 I ipsec nat traversal enable 1 ipsec local policy 1 address ip self identity fqdn nxrb 1 I ipsec isakmp policy 1 description NXR_A authentication pre share ipseckey hash shal encryption aes128 group 5 isakmp mode aggressive remote address ip 10 10 10 1 local policy 1 1 I ipsec tunnel policy 1 description NXR_A 194 235 set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN A 1 interface ethernet 0 ip address 192 168 20 1 24 1 interface ethernet 1 ip address 192 168 120 1 24 ipsec policy 1 dns service enable 1 syslog local enable 1 1 I system led ext 0 signal level mobile 0 ip route 0 0 0 0 0 192 168 120 254 I Wee access list LAN A ip 192 168 20 0 24 192 168 10 0 24 1 1 end zo AE show config 195 235 show config 2 1 IP MainMode NXR A hostname NXR_A telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 1 ipsec local policy 1 address ip 1 ipsec isakmp policy 1 description NXR_B authentication pre share ipseckey hash sha1 en
244. ess LAN A NXR _B config ipsec tunnel exit NXR B config finterface tunnel 1 NXR_B config tunnel tunnel mode ipsec ipv4 NXR_B config tunnel tunnel protection ipsec policy 1 NXR_B config tunnel ip tcp adjust mss auto NXR_B config tunnel exit NXR B config itinterface ethernet 1 B config if itip address 10 10 20 1 24 NXR B config if tipsec policy 1 NXR B config if itexit NXR B config itexit NXR_B save config 78 235 2 Route Based IPsec 2 1 IP MainMode NXR_A S 1 1 IP MainMode NXR_A 1 gt NXR_A config ip route 192 168 20 0 24 tunnel 1 IPsec IP IPsec IPsec LAN_B NXR_B IPsec 1
245. g if itipsec policy 1 NXR B config if itexit NXR B config itexit NXR_B save config 28 235 1 Policy Based IPsec 1 3 RSA NXR A 1 lt gt nxr120 config hostname NXR A NXR_A 2 Ethernet0 gt NXR A config itinterface ethernet 0 NXR A config if itip address 192 168 10 1 24 Ethernet0 IP 192 168 10 1 24 3 gt NXR A config ip route 0 0 0 0 0 10 10 10 254 IP 4 lt IPsec gt NXR_A config ipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 Policy Based IPsec IPsec IPsec ESP IP IPsec IPsec LAN B
246. g ipsec tunnel set pfs group5 NXR _A config ipsec tunnel set sa lifetime 3600 NXR _A config ipsec tunnel set key exchange isakmp 1 NXR_A config ipsec tunnel match address LAN B NXR_A config ipsec tunnel exit NXR A config finterface tunnel 1 NXR A config tunnel tttunnel mode ipsec ipv4 NXR A config tunnel tttunnel protection ipsec policy 1 NXR A config tunnel ttip tcp adjust mss auto NXR A config tunnel ttexit NXR A config itinterface ethernet 1 NXR A config if itip address 10 10 10 1 24 NXR A config if itipsec policy 1 NXR A config if itexit NXR A config itexit NXR_A save config 83 235 2 Route Based IPsec 2 2 IP AggressiveMode NXR B nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR B NXR B config itinterface ethernet 0 NXR B config if itip address 192 168 20 1 24 NXR B config if itexit NXR B config itip route 192 168 10 0 24 tunnel 1 NXR B config itipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 NXR B config tipsec local policy 1 NXR B config ipsec local ftaddress ip NXR B config ipsec local itself identity fqdn nxrb NXR B config ipsec local ttexit NXR B config fipsec isakmp policy 1 NXR B config ipsec isakmp ttdescription NXR A _B config ipsec isakmp authentication pre share ipseckey NXR B config ipsec isakmp tthash sh
247. g ipsec tunnel set pfs group5 PFS Perfect Forward Secrecy DH PFS DH group5 NXR _A config ipsec tunnel set sa lifetime 3600 IPsec SA 3600 NXR _A config ipsec tunnel set key exchange isakmp 1 ISAKMP ISAKMP 1 NXR _A config ipsec tunnel match address LAN B IPsec IPsec LAN B 8 lt Ethernet1 gt NXR_A config interface ethernet 1 NXR A config if itip address 10 10 10 1 24 Etherneti IP 10 10 10 1 24 NXR_A confizg if ipsec policy 1 IPsec IPsec IPsec 1 23 235 1 Policy Bas
248. group 5 NXR A config ipsec isakmp ttlifetime 10800 NXR A config ipsec isakmp ttisakmp mode main NXR _A config ipsec isakmp remote address ip 10 10 20 1 NXR A config ipsec isakmp ttkeepalive 30 3 periodic restart NXR A config ipsec isakmp ttlocal policy 1 NXR_A config ipsec isakmp exit NXR A config itipsec tunnel policy 1 NXR A config ipsec tunnel tdescription NXR B NXR A config ipsec tunnel itnegotiation mode auto NXR A config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR _A config ipsec tunnel set pfs group5 NXR _A config ipsec tunnel set sa lifetime 3600 NXR _A config ipsec tunnel set key exchange isakmp 1 NXR_A config ipsec tunnel match address LAN B NXR A config ipsec tunnel itexit NXR A config itinterface ethernet 1 NXR A config if itip address 10 10 10 1 24 NXR A config if itipsec policy 1 NXR A config if itexit NXR A config itexit NXR_A save config 10 235 1 Policy Based IPsec 1 1 IP MainMode NXR B nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR B NXR B config itinterface ethernet 0 NXR B config if itip address 192 168 20 1 24 NXR B config if itexit NXR B config itip route 0 0 0 0 0 10 10 20 254 NXR B config itipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 NXR B config itipsec local policy 1 NXR B config i
249. hernet 0 ip address 192 168 10 1 24 1 interface ethernet 1 ip address 10 10 10 1 24 ipsec policy 1 1 dns service enable 1 syslog local enable 1 Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 199 235 show config 1 system led ext 0 signal level mobile 0 ip route 192 168 20 0 24 tunnel 1 ip route 0 0 0 0 0 10 10 10 254 1 ipsec access list LAN_B ip 192 168 10 0 24 192 168 20 0 24 1 1 1 end NXR B Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname NXR_B telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 1 ipsec local policy 1 address ip self identity fqdn nxrb 1 ipsec isakmp policy 1 description NXR_A authentication pre share ipseckey hash shal encryption aes128 group 5 isakmp mode aggressive remote address ip 10 10 10 1 local policy 1 1 I ipsec tunnel policy 1 description NXR_A set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN_A 1 I interface tunnel 1 no ip address 200 235 ip tcp adjust mss auto tunnel mode ipsec ipv4 tunnel protection ipsec policy 1 1 interface ethernet 0 ip address 192 168 20 1 24 1 interface ethernet 1 ip address dhcp ipsec policy 1 dns service enable 1 syslog local enable 1 1 system led ext 0 signal level mobile 0
250. ig ipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 Policy Based IPsec IPsec IPsec ESP IP IPsec IPsec LANA IP 192 168 20 0 24 IP 192 168 10 0 24 5 X 509 gt NXR_B config ipsec x509 enable NXR_B config ipsec x509 ca certificate nxr ftp 192 168 20 10 nxrCA pem NXR_B config ipsec x509 crl nxr ftp 192 168 20 10 nxrCRL pem NXR_B config ipsec x509 certificate nxrb ftp 192 168 20 10 nxrbCert pem NXR_B config ipsec x509 private key nxrb key ftp 192 168 20 10 nxrbKey pem NXR B config ipsec x509 private key nxrb password nxrbpass X 509 NXR_A 5 lt X 509 gt 6 CA gt 7 CRL gt 8 NXR A
251. ig ipsec isakmp authentication pre share ipseckey1 LT pre share ipseckey1 NXR_A 57 235 1 Policy Based IPsec 1 5 PPPoE IPsec NXR B config ipsec isakmp tthash sha1 shal NXR_B config ipsec isakmp encryption aes128 aes128 NXR B config ipsec isakmp ttgroup 5 Diffie Hellman DH group 5 NXR B config ipsec isakmp ttlifetime 10800 ISAKMP SA 10800 NXR B config ipsec isakmp ttisakmp mode main 1 NXR_A NXR_B WAN IP NXR _B config ipsec isakmp remote address ip 10 10 10 1 NXR A WAN
252. in remote address ip 10 10 10 1 local policy 1 1 I ipsec tunnel policy 1 description NXR_A set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN_A 1 I interface tunnel 1 no ip address ip tcp adjust mss auto tunnel mode ipsec ipv4 tunnel protection ipsec policy 1 1 interface ppp 0 ip address 10 10 20 1 32 no ip redirects ip tcp adjust mss auto ip access group in pppO in ip masquerade ip spi filter ppp username test2 centurysys password test2pass ipsec policy 1 1 interface ethernet 0 ip address 192 168 20 1 24 1 interface ethernet 1 no ip address pppoe client ppp 0 1 210 235 show config dns service enable 1 syslog local enable 1 1 system led ext 0 signal level mobile 0 ip route 192 168 10 0 24 tunnel 1 ip route 0 0 0 0 0 ppp 0 1 ip access list pppO in permit 10 10 10 1 10 10 20 1 udp 500 500 ip access list pppO in permit 10 10 10 1 10 10 20 1 50 1 ipsec access list LAN_A ip 192 168 20 0 24 192 168 10 0 24 1 1 end NXR C Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname NXR_C telnet server enable http server enable 1 ipv6 forwarding no fast forwarding enable 1 1 ipsec local policy 1 address ip self identity fqdn nxrc 1 ipsec isakmp policy 1 description NXR_A authentication pre share ipseckey2 hash sha1
253. ipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 NXR A config itipsec generate rsa sig key 1024 RSA SIG KEY generating NXR A config itexit NXR_A show ipsec rsa pub key RSA public key 0sAQNe9Ghb4CNEaJully67aSxECLJDHhvndH1opuMs6P8yGiTNIcGeSOQ8XEy8iYTst2bv022XUxSt37 RhOR5IRiY1i83TXkQZbhnJDCNJv rtX aro745MbJ9auXT1L5tda4C54S7SELboAtU28sD3si0OwlzLW tE7yRUqLP4ZiiNMw NXR_A configure terminal Enter configuration commands one per line End with CNTL Z NXR A config tipsec local policy 1 NXR A config ipsec local ftaddress ip NXR A config ipsec local itself identity fqdn nxra NXR A config ipsec local itexit NXR A config fipsec isakmp policy 1 NXR A config ipsec isakmp ttdescription NXR B NXR _A config ipsec isakmp authentication rsa sig OSAQOx8kE6uhZTvWMikunsy3uK5 7j IkTXsCjQpgo4B X64UAVeuxFQZ3KG3bzyjmyCbpktOxEiU v1kF4AOAOXoDfgND KAdEky YWqQYzMuu uu2uy K6E9JA24NACufuqMqgGSXc51fJ 6V5Qi9YtVd7TWBkZQSZJJADBHs YyYD9Q NXR A config ipsec isakmp tthash sha1 NXR _A config ipsec isakmp encryption aes128 NXR A config ipsec isakmp ttgroup 5 NXR A config ipsec isakmp ttlifetime 10800 NXR A config ipsec isakmp ttisakmp mode main NXR _A config ipsec isakmp remote address ip 10 10 20 1 NXR A config ipsec isakmp ttremote identity fqdn nxrb NXR A config ipsec isakmp ttkeepalive 30 3 periodic restart NXR A config ipsec isakmp ttlocal policy 1 NXR A config ipsec isakmp ttexit NXR A config itipsec tunnel policy 1 NXR A config ipsec
254. ipsec policy 1 S IPsec NXR B config tunnel ttip tcp adjust mss auto TCP MSS TCP MSS TCP MSS TCP NXR C s 1 5 PPPoE IPsec NXR_C 1 gt NXR C config itip route 192 168 10 0 24 tunnel 1 IPsec IP IPsec IPsec NXR_A IPsec 1
255. iption B NXR A config ipsec isakmp ttauthentication pre share ipseckey1 NXR A config ipsec isakmp tthash sha1 NXR _A config ipsec isakmp encryption aes128 NXR A config ipsec isakmp ttgroup 5 NXR A config ipsec isakmp ttlifetime 10800 NXR A config ipsec isakmp ttisakmp mode main NXR _A config ipsec isakmp remote address 10 10 20 1 NXR A config ipsec isakmp ttkeepalive 30 3 periodic restart NXR A config ipsec isakmp ttlocal policy 1 NXR_A config ipsec isakmp exit NXR A config itipsec tunnel policy 1 NXR_A config ipsec tunnel description NXR B NXR A config ipsec tunnel itnegotiation mode auto NXR _A config ipsec tunnel set transform esp aes128 esp sha1 hmac NXR _A config ipsec tunnel set pfs group5 NXR _A config ipsec tunnel set sa lifetime 3600 NXR _A config ipsec tunnel set key exchange isakmp 1 NXR_A config ipsec tunnel match address LAN B NXR_A config ipsec tunnel exit NXR A config finterface tunnel 1 NXR A config tunnel tttunnel mode ipsec ipv4 NXR A config tunnel tttunnel protection ipsec policy 1 NXR A config tunnel ttip tcp adjust mss auto NXR A config tunnel ttexit NXR A config ifipsec isakmp policy 2 NXR A config ipsec isakmp ttdescription NXR C NXR A config ipsec isakmp ttauthentication pre share ipseckey2 NXR A config ipsec isakmp tthash sha1 NXR _A config ipsec isakmp encryption aes128 NXR A config ipsec isakmp ttgroup 5 NXR A config ipsec isakmp ttlifetime 10800 NXR A config ipsec isakm
256. itexit NXR_B save config 117 235 2 Route Based IPsec 2 7 IPsec NXR A 2 2 IP AggressiveMode NXR_A NXR B s 2 2 IP AggressiveMode NXR_B 1 lt Ping gt NXR_B config track 1 ip reachability 192 168 10 1 interface tunnel 1 10 3 Ping track No 1 IP 192 168 10 1 NXR_A Ethernet0 IP tunnell IP IP IP no ip address ifindex lo IP
257. kmp sthash sha1 NXR C config ipsec isakmp stencryption aes128 NXR C config ipsec isakmp ttgroup 5 NXR C config ipsec isakmp ttlifetime 10800 NXR C config ipsec isakmp ttisakmp mode aggressive NXR C config ipsec isakmp itremote address ip 10 10 10 1 NXR C config ipsec isakmp itkeepalive 30 3 periodic restart NXR C config ipsec isakmp itlocal policy 1 NXR C config ipsec isakmp itexit NXR C config itipsec tunnel policy 1 NXR_C config ipsec tunnel description NXR A NXR _C config ipsec tunnel negotiation mode auto NXR C config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR C config ipsec tunnelitset pfs group5 NXR_C config ipsec tunnel set sa lifetime 3600 NXR C config ipsec tunnel itset key exchange isakmp 1 NXR C config ipsec tunnel tmatch address LAN A NXR C config ipsec tunnelitexit NXR C config itinterface tunnel 1 NXR C config tunneltip address 192 168 30 1 32 NXR C config tunnelittunnel mode ipsec ipv4 NXR C config tunneDttunnel protection ipsec policy 1 NXR C config tunneDitip tcp adjust mss auto NXR C config tunnelDitexit NXR C config ttinterface ppp 0 NXR C config ppp stip address negotiated NXR C config ppp stip masquerade NXR C config ppp stip access group in pppO in NXR C config ppp fip spi filter NXR C config ppp stip tcp adjust mss auto NXR C config ppp tno ip redirects NXR C config ppp tppp authentication auto NXR C config ppp tppp username test3 centurysys password test3pass NXR_C config ppp
258. luto XXXX tunnel1 1 10 10 30 1 2 IPsec SA established IESP gt 0x899ed286 lt 0xc5e28ab0 DPD ISAKMP SA established ISAKMP SA IPsec SA established IPsec SA IPsec gt lt gt pluto XXXX tunnel1 1 initiating Main Mode pluto XXXX Tunnel 1 max number of retransmissions 20 reached STATE 11 No response or no acceptable response to our first IKE message pluto XXXX tunnell 1 starting keying attempt 2 of an unlimited number pluto XXXX tunnel1 2 initiating Main Mode to replace 1 WAN IPsec UDP500 IPsec IPsec 169 235 IPsec gt
259. message NXR show tech support Zshow mobile lt N gt ap Zshow mobile N gt phone number show mobile lt N gt signal level lt N gt 233 235 0422 37 8926 10 00 AM 5 00 PM E mail support centurysys coJp FAX FAX 0422 55 3373 FAX 24 234 235 FutureNet NXR WXR IPsec Ver 1 1 0 2013 4
260. nable 1 1 ipsec local policy 1 address ip 1 ipsec isakmp policy 1 description NXR_A authentication pre share ipseckey hash sha1 encryption aes128 group 5 isakmp mode main remote address ip 10 10 10 1 local policy 1 1 I ipsec tunnel policy 1 description NXR_A set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN_A 1 I interface ethernet 0 ip address 192 168 20 1 24 1 interface ethernet 1 ip address 10 10 20 1 24 ipsec policy 1 dns service enable 1 177 235 show config syslog local enable 1 1 I system led ext 0 signal level mobile 0 ip route 0 0 0 0 0 10 10 20 254 I ipsec access list LAN_A ip 192 168 20 0 24 192 168 10 0 24 1 1 end 178 235 show config 1 2 IP AggressiveMode NXR A Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname _ telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 1 ipsec local policy 1 address ip 1 ipsec isakmp policy 1 description NXR B authentication pre share ipseckey keepalive 30 3 periodic clear hash sha1 encryption aes128 group 5 isakmp mode aggressive remote address ip any remote identity fqdn nxrb local policy 1 1 I ipsec tunnel policy 1 descri
261. nel 1 1 NXR A config tunnel itip address 192 168 10 1 32 1 IP 192 168 10 1 32 OSPF s LAN EthernetO 4 IP 32 124 235 2 Route Based IPsec 2 8 IPsec OSPF NXR A config tunnel tttunnel mode ipsec ipv4 Route Based IPsec ipsec ipv4 NXR_A config tunnel tunnel protection ipsec policy 1 IPsec IPsec 1 ipsec policy 1 g IPsec NXR A config tunnel ttip tcp adju
262. nell 1 10 10 20 10 2 tunnell 1 10 10 20 10 2 Peer IP 10 10 20 10 port 50891 Tunnel Session ID 62277 48685 Remote Tunnel Session ID 8 1055 ignoring Vendor ID payload RFC 3947 ignoring Vendor ID payload 4df37928e9fc4fd1b3262170d515c662 ignoring Vendor ID payload 8f8d83826d246b6fc7a8a6a428c11de8 ignoring Vendor ID payload 439b59f8ba676c4c7737ae22eab8f582 ignoring Vendor ID payload 4d1e0e136deafa34c4f3ea9f02ec7285 ignoring Vendor ID payload 80d0bb3def54565ee84645d4c85ce3ee ignoring Vendor ID payload 9909b64eed937c6573de52ace952fa6b ignoring Vendor ID payload draft ietf ipsec nat t ike 03 ignoring Vendor ID payload draft ietf ipsec nat t ike 02 ignoring Vendor ID payload draft ietf ipsec nat t ike 02 n ignoring Vendor ID payload FRAGMENTATION 80000000 received Vendor ID payload Dead Peer Detection responding to Main Mode from unknown peer 10 10 20 10 received IPSEC INITIAL CONTACT delete old states sent MR3 ISAKMP SA established Dead Peer Detection RFC 3706 enabled responding to Quick Mode IPsec SA established ESP gt 0x026594af lt 0x44242e17 DPD charon 02 KNL interface ppp100 activated pppd XXXX local IP address 172 16 0 1 pppd XXXX remote IP address 172 16 0 11 L2TP IPsec XIPsec IPsec
263. net 0 NXR config if tip address 192 168 10 1 24 NXR config if itexit NXR config itip route 0 0 0 0 0 ppp 0 NXR config itip access list pppO in permit any 10 10 10 1 udp 500 500 NXR config tip access list pppO in permit any 10 10 10 1 50 NXR config itipsec local policy 1 NXR config ipsec local taddress ip NXR config ipsec local itexit NXR config ifipsec isakmp policy 1 NXR config ipsec isakmp description smartphone NXR config ipsec isakmp authentication pre share ipseckey NXR config ipsec isakmp hash sha1 NXR config ipsec isakmp encryption aes128 NXR config ipsec isakmp group 5 NXR config ipsec isakmp ttlifetime 86400 NXR config ipsec isakmp sakmp mode main NXR config ipsec isakmp ttremote address ip any NXR config ipsec isakmp itlocal policy 1 NXR config ipsec isakmp exit NXR config ipsec tunnel policy 1 NXR config ipsec tunnel description smartphone NXR config ipsec tunnel set transform esp aes128 esp sha1 hmac NXR config ipsec tunnel no set pfs NXR config ipsec tunnel set sa lifetime 28800 NXR config ipsec tunnel set key exchange isakmp 1 NXR config ipsec tunnel ttmatch protocol I2tp smartphone NXR config ipsec tunnel itexit NXR config ppp account username android01 password android01pass NXR config itppp account username ios01 password 01 NXR config ppp account username test1 centurysys password testlpass NXR config itaccess server profile 0 NXR config ras ppp username android01 ip 172 16 0 10 NXR c
264. net0 LAN OSPF Ethernet0 OSPF 2 lt IPsec gt NXR_A config ipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 NXR A config itipsec access list LAN C ip 192 168 10 0 24 192 168 30 0 24 Policy Based IPsec IPsec IPsec ESP Route Based IPsec IPsec IKE 2 ID Lei Route Based IPsec ESP IPsec lt IPsec LAN B IP 192 168 10 0 24 IP 192 168 20 0 24 IPsec LAN C IP 192 168 10 0 24 IP 192 168 30 0 24 3 lt 1 gt NXR A config itinterface tun
265. nfig ipsec isakmp encryption aes128 NXR A config ipsec isakmp ttgroup 5 NXR A config ipsec isakmp ttlifetime 10800 NXR A config ipsec isakmp ttisakmp mode main NXR _A config ipsec isakmp remote address ip 10 10 20 1 NXR A config ipsec isakmp ttkeepalive 30 3 periodic restart NXR A config ipsec isakmp ttlocal policy 1 NXR_A config ipsec isakmp exit NXR A config itipsec tunnel policy 1 NXR_A config ipsec tunnel description NXR B NXR A config ipsec tunnel itnegotiation mode auto NXR A config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR _A config ipsec tunnel set pfs group5 NXR _A config ipsec tunnel set sa lifetime 3600 NXR _A config ipsec tunnel set key exchange isakmp 1 NXR A config ipsec tunnel itmatch address LAN B NXR_A config ipsec tunnel exit NXR A config finterface tunnel 1 NXR A config tunnel ttip address 192 168 10 1 32 NXR A config tunnel tttunnel mode ipsec ipv4 NXR A config tunnel tttunnel protection ipsec policy 1 NXR A config tunnel ttip tcp adjust mss auto NXR A config tunnel ttexit NXR A config ifipsec isakmp policy 2 NXR A config ipsec isakmp ttdescription NXR C NXR A config ipsec isakmp ttauthentication pre share ipseckey2 NXR A config ipsec isakmp tthash sha1 NXR _A config ipsec isakmp encryption aes128 NXR A config ipsec isakmp ttgroup 5 NXR A config ipsec isakmp ttlifetime 10800 NXR A config ipsec isakmp ttisakmp mode aggressive NXR A config ipsec isakmp ttremote address ip any
266. nfig ipsec isakmp ttisakmp mode aggressive 61 235 1 Policy Based IPsec 1 5 PPPoE IPsec 1 WAN IP IP NXR_C config ipsec isakmp remote address ip 10 10 10 1 NXR A WAN NXR A WAN IP 10 10 10 1 NXR C config ipsec isakmp ttkeepalive 30 3 periodic restart IKE KeepAlive DPD DPD Dead Peer Detection ISAKMP SA NXR WAN SA SA DPD NXR IPsec DPD 30 3 keepalive SA IKE
267. nfig ipsec tunnel description NXR A NXR_C config ipsec tunnel negotiation mode auto NXR C config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR _C config ipsec tunnel set pfs group5 NXR_C config ipsec tunnel set sa lifetime 3600 NXR C config ipsec tunnel itset key exchange isakmp 1 NXR C config ipsec tunnel tmatch address LAN A NXR C config ipsec tunnelitexit NXR C config itinterface tunnel 1 NXR C config tunnelittunnel mode ipsec ipv4 NXR C config tunneDttunnel protection ipsec policy 1 NXR C config tunneDitip tcp adjust mss auto NXR C config tunnelDitexit NXR C config itinterface ppp 0 NXR C config ppp stip address negotiated NXR C config ppp stip masquerade NXR C config ppp stip access group in pppO in NXR C config ppp fip spi filter NXR C config ppp stip tcp adjust mss auto NXR C config ppp tno ip redirects NXR C config ppp tppp authentication auto NXR C config ppp tppp username test3 centurysys password test3pass NXR_C config ppp psec policy 1 NXR C config ppp ttexit NXR C config itinterface ethernet 1 NXR_C config if no ip address NXR C config if itpppoe client ppp 0 NXR_C config if exit NXR_C config dns NXR_O config dns service enable NXR_O config dns exit NXR C config itexit NXR_C save config 104 235 2 Route Based IPsec 2 5 PPPoE IPsec NXR_A
268. nfig tunnel tunnel protection ipsec policy 1 IPsec IPsec 1 zo ipsec policy 1 S IPsec NXR_O config tunnel ip tcp adjust mss auto TCP MSS TCP MSS TCP MSS TCP LAN A LAN B LAN C IP 192 168 10 100 192 168 20 100 192 168 30 100 255 255 255 0 255 255 255 0 255 255 255 0 192 168 10 1 192 168 20 1 192 168 30 1 128 235 3 L2TP IPsec 3 L2TP IPsec 129 235 3 L2TP IPsec 3 1 L2TP IPsec 3 1 L2TP IPsec Android iOS L2TP IPsec
269. ntication pre share ipseckey keepalive 30 3 periodic clear hash shal encryption aes128 group 5 isakmp mode aggressive remote address ip any remote identity fqdn nxrb local policy 1 1 I ipsec tunnel policy 1 description NXR_B negotiation mode responder set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN_B 1 I interface tunnel 1 no ip address ip tcp adjust mss auto tunnel mode ipsec ipv4 tunnel protection ipsec policy 1 1 interface ethernet 0 ip address 192 168 10 1 24 1 interface ethernet 1 ip address 10 10 10 1 24 ipsec policy 1 1 dns service enable 1 syslog local enable 1 Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 216 235 show config 1 system led ext 0 signal level mobile 0 ip route 192 168 20 0 24 tunnel 1 ip route 0 0 0 0 0 10 10 10 254 1 ipsec access list LAN_B ip 192 168 10 0 24 192 168 20 0 24 1 1 1 end NXR B Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname NXR_B telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 1 ipsec local policy 1 address ip self identity fqdn nxrb 1 I ipsec isakmp policy 1 description NXR_A authentication pre share ipseckey hash shal encryption aes128 group 5 isakmp mode aggressive remote address ip 10 10 10 1
270. ntury Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname _ telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 ipsec x509 enable ipsec x509 ca certificate nxr ipsec x509 certificate nxra ipsec x509 private key nxra key ipsec x509 private key nxra password nxrapass ipsec x509 crl nxr 1 ipsec local policy 1 address ip self identity dn C JP CN nxra E nxra example com x509 certificate nxra 1 ipsec isakmp policy 1 description NXR B authentication rsa sig hash sha1 encryption aes128 group 5 isakmp mode main remote address ip 10 10 20 1 remote identity dn C JP CN nxrb E nxrb example com local policy 1 1 ipsec tunnel policy 1 description set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN_B 1 I interface ethernet 0 ip address 192 168 10 1 24 1 interface ethernet 1 ip address 10 10 10 1 24 ipsec policy 1 1 dns service enable 1 syslog local enable 1 185 235 1 system led ext 0 signal level mobile 0 ip route 0 0 0 0 0 10 10 10 254 I Es access list LAN B ip 192 168 10 0 24 192 168 20 0 24 1 end show config B Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname NXR_B telnet server enable http server enable 1 ipv6 forwarding no fast for
271. ny 10 10 10 1 50 IP ppp0_in IP 10 10 10 1 UDP 500 UDP 500 IP 10 10 10 1 50 ESP IP ppp0 s IP s UDP 500 50 ESP IPsec 5 lt 1 gt A config lipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 NXR _A config ipsec access list LAN C ip 192 168 10 0 24 192 168 30 0 24 Policy Based IPsec IPsec IPsec ESP
272. ocal policy 1 address ip 1 ipsec isakmp policy 1 description NXR_B authentication pre share ipseckey1 hash sha1 encryption aes128 group 5 isakmp mode main remote address ip 10 10 20 1 local policy 1 1 ipsec isakmp policy 2 description NXR_C authentication pre share ipseckey2 keepalive 30 3 periodic clear hash sha1 encryption aes128 group 5 isakmp mode aggressive remote address ip any remote identity fqdn nxrc local policy 1 1 ipsec tunnel policy 1 description set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN_B 1 ipsec tunnel policy 2 description NXR_C negotiation mode responder set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 2 match address LAN_C 1 I interface ppp 0 ip address 10 10 10 1 32 188 235 show config no ip redirects ip tcp adjust mss auto ip access group in pppO in ip masquerade ip spi filter ppp username test1 centurysys password testlpass ipsec policy 1 1 interface bridge 0 no ip address 1 interface ethernet 0 ip address 192 168 10 1 24 1 interface ethernet 1 no ip address pppoe client ppp 0 1 dns service enable 1 syslog local enable 1 1 I system led ext 0 signal level mobile 0 ip route 0 0 0 0 0 ppp 0 I ip access list pppO in permit any 10 10 10 1 udp 500 500 ip access list pppO in permit any 10 10 10 1 50 1 access list LAN B 1
273. onfig ipsec local ftaddress ip NXR C config ipsec local itself identity fqdn nxrc NXR C config ipsec locaDitexit NXR C config itipsec isakmp policy 1 NXR C config ipsec isakmp ttdescription NXR A NXR C config ipsec isakmp itauthentication pre share ipseckey2 NXR C config ipsec isakmp sthash sha1 NXR C config ipsec isakmp stencryption aes128 NXR C config ipsec isakmp ttgroup 5 NXR C config ipsec isakmp ttlifetime 10800 NXR C config ipsec isakmp ttisakmp mode aggressive NXR C config ipsec isakmp itremote address ip 10 10 10 1 NXR C config ipsec isakmp itkeepalive 30 3 periodic restart NXR C config ipsec isakmp itlocal policy 1 NXR C config ipsec isakmp itexit NXR C config itipsec tunnel policy 1 NXR _C config ipsec tunnel description NXR A NXR _C config ipsec tunnel negotiation mode auto NXR C config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR C config ipsec tunnelitset pfs group5 NXR_C config ipsec tunnel set sa lifetime 3600 NXR C config ipsec tunnelitset key exchange isakmp 1 NXR C config ipsec tunnel timatch address LAN NXR C config ipsec tunnelitexit NXR C config itinterface ppp 0 NXR C config ppp stip address negotiated NXR C config ppp stip masquerade NXR C config ppp stip access group in pppO in NXR C config ppp fip spi filter NXR C config ppp stip tcp adjust mss auto NXR C config ppp tno ip redirects NXR C config ppp tppp authentication auto NXR_C config ppp ppp username test3 centurysys p
274. onfig itipsec x509 certificate nxrb ftp 192 168 20 10 nxrbCert pem B config ipsec x509 private key nxrb key fp 192 168 20 10 nxrbKey pem NXR B config itipsec x509 private key nxrb password nxrbpass NXR_B confie ipsec local policy 1 NXR B config ipsec local ftaddress ip NXR B config ipsec local itx509 certificate nxrb NXR_B config ipsec local self identity dn C JP CN nxrb E nxrb example com NXR B config ipsec local itexit NXR B config fipsec isakmp policy 1 NXR B config ipsec isakmp ttdescription NXR A NXR B config ipsec isakmp ttauthentication rsa sig NXR B config ipsec isakmp tthash sha1 NXR _B config ipsec isakmp encryption aes128 NXR B config ipsec isakmp ttgroup 5 B config ipsec isakmp ttlifetime 10800 NXR B config ipsec isakmp ttisakmp mode main NXR B config ipsec isakmp ttremote address ip 10 10 10 1 B config ipsec isakmp stremote identity dn C JP CN nxra E nxra example com NXR B config ipsec isakmp ttkeepalive 30 3 periodic restart NXR B config ipsec isakmp ttlocal policy 1 NXR B config ipsec isakmp ttexit NXR B config itipsec tunnel policy 1 NXR B config ipsec tunnel itdescription NXR A NXR B config ipsec tunnel itnegotiation mode auto NXR B config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR _B config ipsec tunnel set pfs group5 NXR B config ipsec tunnelDtset sa lifetime 3600 NXR _B config ipsec tunnel set key exchange isakmp 1 NXR B config ipsec tunnel ttmatch address LAN
275. onfig ppp ipsec policy 1 ppp0 IP IP negotiated IP NAT IP ppp0 in in ppp0 NXR IP IPsec 1 IPsec 10 Ethernet1 gt NXR_A config interface ethernet 1 NXR A config iftno ip address NXR A config if ifpppoe client ppp 0 Ethernet PPPoE ppp0 11 DNS gt NXR A config tdns NXR_A dns config service enable DNS 63 235 1 Policy Based IPsec 1 5 PPPoE IPsec
276. onfig ras exit NXR config access server profile 1 NXR config ras ppp username ios01 ip 172 16 0 11 NXR config ras exit NXR config ip local pool smartphoneip address 172 16 0 10 172 16 0 11 NXR config interface virtual template 0 NXR config if vt ip address 172 16 0 1 32 NXR config if vt itip tcp adjust mss auto NXR config if vt no ip redirects NXR config if vt no ip rebound NXR config if vt peer ip pool smartphoneip NXR config if vt itexit NXR config itl2tp udp source port 1701 NXR config itl2tp 1 NXR config I2tp ittunnel address any ipsec NXR config I2tp ittunnel mode Ins NXR config I2tp ittunnel virtual template 0 NXR config 2tp exit Restarting l2tp service Please walt NXR config interface ppp 0 NXR config ppp ip address 10 10 10 1 32 NXR config ppp ip masquerade NXR config ppp ttip access group in pppO in NXR config ppp fip spi filter 131 235 3 L2TP IPsec 3 1 L2TP IPsec NXR config ppp ttip tcp adjust mss auto NXR config ppp no ip redirects NXR config ppp ttppp username test1 centurysys NXR config ppp ttipsec policy 1 NXR config ppp exit NXR config interface ethernet 1 NXR config if itno ip address NXR config if ifpppoe client ppp 0 NXR config if itexit NXR config itdns NXR config dns service enable NXR config dns itexit NXR config itexit NXR save config 132 235 3 L2TP IPsec 3 1
277. p NXR config if vt itexit NXR config itl2tp udp source port 1701 NXR config itl2tp 1 NXR config I2tp ittunnel address any ipsec NXR config I2tp ittunnel mode Ins 149 235 NXR config I2tp ittunnel virtua template 0 NXR config 2tp exit Restarting l2tp service Please walt NXR config interface ppp 0 NXR config ppp ip address 10 10 10 1 32 NXR config ppp ip masquerade NXR config ppp ttip access group in pppO in NXR config ppp fip spi filter NXR config ppp ttip tcp adjust mss auto NXR config ppp no ip redirects NXR config ppp ttppp username test1 centurysys NXR config ppp ttipsec policy 1 NXR config ppp exit NXR config interface ethernet 1 NXR config if itno ip address NXR config if ifpppoe client ppp 0 NXR config if itexit NXR config itdns NXR config dns service enable NXR config dns itexit NXR config itexit NXR save config 3 L2TP IPsec 3 2 L2TP IPsec CRT 150 235 3 L2TP IPsec 3 2 L2TP IPsec CRT 3 1 L2TP IPsec 1 lt 509 gt NXR config ipsec x509 enable X 509
278. p ttisakmp mode aggressive NXR A config ipsec isakmp ttremote address ip any NXR A config ipsec isakmp ttremote identity fqdn nxrc NXR A config ipsec isakmp ttkeepalive 30 3 periodic clear NXR A config ipsec isakmp ttlocal policy 1 NXR_A config ipsec isakmp exit NXR A config ifipsec tunnel policy 2 NXR _A config ipsec tunnel description NXR C NXR_A config ipsec tunnel negotiation mode responder NXR A config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR _A config ipsec tunnel set pfs group5 101 235 2 Route Based IPsec 2 5 PPPoE IPsec NXR _A config ipsec tunnel set sa lifetime 3600 NXR _A config ipsec tunnel set key exchange isakmp 2 NXR A config ipsec tunnel ttmatch address LAN C NXR _A config ipsec tunnel exit NXR A config finterface tunnel 2 NXR A config tunnel tttunnel mode ipsec ipv4 NXR A config tunnel tttunnel protection ipsec policy 2 NXR A config tunnel ttip tcp adjust mss auto NXR _A config tunnel exit NXR A config itinterface ppp 0 NXR A config ppp ftip address 10 10 10 1 32 NXR A config ppp ttip masquerade NXR A config ppp ttip access group in pppO in NXR A config ppp ttip spi filter NXR A config ppp ttip tcp adjust mss auto NXR A config ppp ttno ip redirects NXR A config ppp ttppp authentication auto NXR A config ppp itppp username test1 centurysys password test1pass NXR A config ppp ttipsec policy 1 NXR_A config ppp exit NXR
279. p ttlocal policy 1 NXR_A config ipsec isakmp exit NXR A config itipsec tunnel policy 1 NXR A config ipsec tunnel tdescription NXR B NXR _A config ipsec tunnel negotiation mode responder NXR _A config ipsec tunnel set transform esp aes128 esp sha1 hmac NXR _A config ipsec tunnel set pfs group5 NXR _A config ipsec tunnel set sa lifetime 3600 NXR _A config ipsec tunnel set key exchange isakmp 1 NXR_A config ipsec tunnel match address LAN B NXR_A config ipsec tunnel exit NXR A config finterface tunnel 1 NXR A config tunnel tttunnel mode ipsec ipv4 NXR A config tunnel tttunnel protection ipsec policy 1 NXR A config tunnel ttip tcp adjust mss auto NXR A config tunnel ttexit NXR A config itinterface ethernet 1 NXR A config if itip address 10 10 10 1 24 NXR A config if itipsec policy 1 NXR A config if itexit NXR A config itexit NXR_A save config 116 235 2 Route Based IPsec 2 7 IPsec NXR B nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR B NXR B config itinterface ethernet 0 NXR B config if itip address 192 168 20 1 24 NXR B config if itexit NXR B config itip route 192 168 10 0 24 tunnel 1 NXR _B config track 1 ip reachability 192 168 10 1 interface tunnel 1 10 3 NXR B config itipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24
280. pp exit NXR A config itinterface ethernet 1 NXR A config if itno ip address NXR A config if itpppoe client ppp 0 NXR A config if itexit NXR A config itdns NXR_A config dns service enable NXR A config dns itexit NXR A config itexit NXR_A save config NXR B nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR B NXR B config tinterface ethernet 0 NXR B config if itip address 192 168 20 1 24 NXR B config if itexit NXR B config itrouter ospf NXR B config router ttrouter id 172 31 0 2 NXR B config router ttnetwork 192 168 20 0 24 area 0 NXR _B config router passive interface ethernet 0 NXR B config router itexit NXR B config itip route 0 0 0 0 0 ppp 0 NXR B config itip access list pppO in permit 10 10 10 1 10 10 20 1 udp 500 500 NXR B config itip access list pppO in permit 10 10 10 1 10 10 20 1 50 B config itipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 NXR B config tipsec local policy 1 NXR B config ipsec local ftaddress ip NXR B config ipsec local itexit NXR B config fipsec isakmp policy 1 NXR B config ipsec isakmp ttdescription NXR A NXR _B config ipsec isakmp authentication pre share ipseckey1 NXR B config ipsec isakmp tthash sha1 NXR _B config ipsec isakmp encryption aes128 NXR B config ipsec isakmp ttgroup 5 121 235 2 Route Based IPsec 2 8 IPsec
281. psec local ftaddress ip NXR B config ipsec local itexit NXR B config fipsec isakmp policy 1 NXR _B config ipsec isakmp description NXR A _B config ipsec isakmp authentication pre share ipseckey NXR B config ipsec isakmp tthash sha1 NXR _B config ipsec isakmp encryption aes128 NXR B config ipsec isakmp ttgroup 5 NXR B config ipsec isakmpj ttlifetime 10800 NXR B config ipsec isakmp ttisakmp mode main NXR B config ipsec isakmp ttremote address ip 10 10 10 1 NXR B config ipsec isakmp ttkeepalive 30 3 periodic restart NXR B config ipsec isakmp ttlocal policy 1 NXR B config ipsec isakmp ttexit NXR B config tipsec tunnel policy 1 NXR B config ipsec tunnel itdescription NXR A NXR B config ipsec tunnel itnegotiation mode auto NXR B config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR _B config ipsec tunnel set pfs group5 NXR _B config ipsec tunnel set sa lifetime 3600 NXR _B config ipsec tunnel set key exchange isakmp 1 NXR_B config ipsec tunnel match address LAN A NXR _B config ipsec tunnel exit NXR B config itinterface ethernet 1 B config if itip address 10 10 20 1 24 NXR_B config if ipsec policy 1 NXR B config if itexit NXR B config itexit NXR_B save config 11 235 1 Policy Based IPsec 1 1 IP MainMode NXR A 1 lt gt nxr120 config
282. psec x509 certificate nxrb ftp 192 168 20 10 nxrbCert pem B config ipsec x509 private key nxrb key ftp 192 168 20 10 nxrbKey pem NXR B config itipsec x509 private key nxrb password nxrbpass NXR_B confie ipsec local policy 1 NXR B config ipsec local ftaddress ip NXR B config ipsec local itx509 certificate nxrb B config ipsec localtself identity dn C JP CN nxrb E nxrb example com NXR B config ipsec local itexit NXR B config fipsec isakmp policy 1 NXR B config ipsec isakmp ttdescription NXR A NXR _B config ipsec isakmp authentication rsa sig NXR B config ipsec isakmp tthash sha1 NXR _B config ipsec isakmp encryption aes128 NXR B config ipsec isakmp ttgroup 5 NXR B config ipsec isakmpj ttlifetime 10800 NXR B config ipsec isakmp ttisakmp mode main NXR _B config ipsec isakmp remote address 10 10 10 1 B config ipsec isakmp stremote identity dn C JP CN nxra E nxra example com NXR B config ipsec isakmp ttkeepalive 30 3 periodic restart NXR B config ipsec isakmp ttlocal policy 1 NXR B config ipsec isakmp ttexit NXR B config itipsec tunnel policy 1 NXR B config ipsec tunnel itdescription NXR A NXR B config ipsec tunnel itnegotiation mode auto NXR B config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR _B config ipsec tunnel set pfs group5 NXR _B config ipsec tunnel set sa lifetime 3600 NXR _B config ipsec tunnel set key exchange isakmp 1 NXR B config ipsec tunnel ttmatch address LAN A
283. ption NXR_B negotiation mode responder set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN_B 1 I interface ethernet 0 ip address 192 168 10 1 24 1 interface ethernet 1 ip address 10 10 10 1 24 ipsec policy 1 dns service enable 1 syslog local enable 1 1 I system led ext 0 signal level mobile 0 1 1 1 179 235 show config ip route 0 0 0 0 0 10 10 10 254 I ipsec access list LAN_B ip 192 168 10 0 24 192 168 20 0 24 1 1 1 end NXR B Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname NXR_B telnet server enable http server enable 1 ipv6 forwarding no fast forwarding enable 1 1 ipsec local policy 1 address ip self identity fqdn nxrb 1 ipsec isakmp policy description NXR_A authentication pre share ipseckey hash shal encryption aes128 group 5 isakmp mode aggressive remote address ip 10 10 10 1 local policy 1 1 ipsec tunnel policy 1 description NXR_A set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN_A 1 I interface ethernet 0 ip address 192 168 20 1 24 1 interface ethernet 1 ip address dhcp ipsec policy 1 dns service enable 180 235 1 syslog local enable 1 1 I system led ext 0 signal level mobile 0 psec access list LAN_A ip 192 168 20 0 24 192
284. r profile 0 ppp username android01 ip 172 16 0 10 1 access server profile 1 ppp username ios01 ip 172 16 0 11 1 1 system led ext 0 signal level mobile 0 ip route 0 0 0 0 0 ppp 0 1 ip local pool smartphoneip address 172 16 0 10 172 16 0 11 1 ip access list pppO in permit any 10 10 10 1 udp 500 500 ip access list pppO in permit 10 10 10 1 50 1 end show config 228 235 show config 3 3 L2TP IPsec NAT Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname NXR telnet server enable http server enable ipv6 forwarding no fast forwarding enable I ppp account username android01 password android01pass ppp account username ios01 password ios01pass ppp account username test1 centurysys password testlpass 1 ipsec nat traversal enable 1 I2tp source port 1701 1 I2tpv3 udp source port 40001 1 ipsec local policy 1 address ip 1 ipsec isakmp policy 1 description smartphone authentication pre share ipseckey hash sha1 encryption aes128 group 5 lifetime 86400 isakmp mode main remote address ip any local policy 1 1 ipsec tunnel policy 1 description smartphone set transform esp aes128 esp sha1 hmac no set pfs set key exchange isakmp 1 set sa lifetime 28800 match protocol l2tp sm
285. re ipseckey2 keepalive 30 3 periodic clear hash sha1 encryption aes128 group 5 isakmp mode aggressive remote address ip any remote identity fqdn nxrc local policy 1 1 ipsec tunnel policy 1 description set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN_B 1 ipsec tunnel policy 2 description NXR_C negotiation mode responder set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 2 match address LAN_G 1 I interface tunnel 1 ip address 192 168 10 1 32 219 235 ip tcp adjust mss auto tunnel mode ipsec ipv4 tunnel protection ipsec policy 1 1 interface tunnel 2 ip address 192 168 10 1 32 ip tcp adjust mss auto tunnel mode ipsec ipv4 tunnel protection ipsec policy 2 1 interface ppp 0 ip address 10 10 10 1 32 no ip redirects ip tcp adjust mss auto ip access group in pppO in ip masquerade ip spi filter ppp username test1 centurysys password testlpass ipsec policy 1 1 interface ethernet 0 ip address 192 168 10 1 24 1 interface ethernet 1 no ip address pppoe client ppp 0 1 router ospf router id 172 31 0 1 network 192 168 10 0 24 area 0 passive interface ethernet 0 1 dns service enable 1 syslog local enable 1 1 I system led ext 0 signal level mobile 0 ip route 0 0 0 0 0 ppp 0 I ip access list pppO in permit any 10 10 10 1 udp 500 500 ip access list pppO in permit 10 10 10 1 50 1 es access list LAN B ip 192 16
286. rk 192 168 30 0 24 area 0 passive interface ethernet 0 1 dns service enable 1 syslog local enable 1 1 I system led ext 0 signal level mobile 0 e route 0 0 0 0 0 ppp 0 1 ip access list pppO in permit 10 10 10 1 any udp 500 500 ip access list pppO in permit 10 10 10 1 any 50 1 ee access list LAN A ip 192 168 30 0 24 192 168 10 0 24 1 show config 223 235 show config end 224 235 show config 3 1 L2TP IPsec Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname NXR telnet server enable http server enable ipv6 forwarding no fast forwarding enable I ppp account username android01 password android01pass ppp account username ios01 password ios01pass ppp account username test1 centurysys password testlpass 1 I I2tp source port 1701 1 Il2tpv3 udp source port 40001 1 ipsec local policy 1 address ip 1 ipsec isakmp policy 1 description smartphone authentication pre share ipseckey hash sha1 encryption aes128 group 5 lifetime 86400 isakmp mode main remote address ip any local policy 1 1 ipsec tunnel policy 1 description smartphone set transform esp aes128 esp sha1 hmac no set pfs set key exchange isakmp 1 set sa lifetime 28800 match protocol 2tp smartphone 1
287. ss ip NXR A config ipsec local itself identity fqdn nxra NXR A config ipsec local itexit NXR A config fipsec isakmp policy 1 NXR A config ipsec isakmp ttdescription B NXR _A config ipsec isakmp authentication rsa sig OSAQOx8kE6uhZTvWMikunsy3uK5 7j IkTXsCjQpgo4B X64UAVeuxFQZ3KG3bzyjmyCbpktOxEiU v1kF4AOAOXoDfgND KAdEky YWqQYzMuu uu2uy K6E9JA24NACufuqMqggGSXc51fJ 6V5Qi9YtVd7TWBkZQSZJJADBHs YyYD9Q NXR A config ipsec isakmp tthash sha1 NXR _A config ipsec isakmp encryption aes128 NXR A config ipsec isakmp ttgroup 5 NXR A config ipsec isakmp ttlifetime 10800 NXR A config ipsec isakmp ttisakmp mode main NXR _A config ipsec isakmp remote address 10 10 20 1 NXR A config ipsec isakmp ttremote identity fqdn nxrb NXR A config ipsec isakmp ttkeepalive 30 3 periodic restart NXR A config ipsec isakmp ttlocal policy 1 NXR_A config ipsec isakmp exit NXR A config itipsec tunnel policy 1 NXR_A config ipsec tunnel description NXR B NXR A config ipsec tunnel itnegotiation mode auto NXR _A config ipsec tunnel set transform esp aes128 esp sha1 hmac NXR _A config ipsec tunnel set pfs group5 NXR A config ipsec tunnelDtset sa lifetime 3600 NXR _A config ipsec tunnel set key exchange isakmp 1 NXR_A config ipsec tunnel match address LAN B NXR_A config ipsec tunnel exit NXR A config finterface tunnel 1 NXR A config tunnel tttunnel mode ipsec ipv4 NXR A config tunnel tttunnel protection ipsec policy 1 NXR A config tunnel itip tcp
288. st mss auto TCP MSS TCP MSS TCP MSS TCP 4 lt 2 gt NXR A config itinterface tunnel 2 2 NXR A config tunnel ttip address 192 168 10 1 32 2 IP 192 168 10 1 32 2 IP NXR A config tunnel tttunnel mode ipsec ipv4 Route Based IPsec ipsec ipv4 NXR A config tunnel tttunnel protection ipsec policy 2 IPsec IPsec 2 ipsec policy 2 IPsec
289. t IPsec gt NXR_B config ipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 Policy Based IPsec IPsec IPsec ESP Route Based IPsec IPsec IKE 2 ID sr Route Based IPsec ESP IPsec lt IPsec LAN_A IP 192 168 20 0 24 IP 192 168 10 0 24 3 lt gt NXR B config itinterface tunnel 1 1 NXR B config tunnel tttunnel mode ipsec ipv4 Route Based IPsec ipsec ipv4 NXR _B config tunnel tunnel protection ipsec policy 1 IPsec
290. t RA CA X 509 IKE 1 LAN A 192 168 10 0 24 LAN_B 192 168 20 0 24 T NXR B MEME 10 10 10 254 10 10 20 254 Eth1 Eth0 192 168 10 100 we 10 1 10 10 10 1 10 10 20 1 192 168 20 1 192 168 20 100 Route Based IPsec Policy Based IPsec RIPv1 v2 0SPF BGP 1 4 X 509 94 235 2 Route Based IPsec 2 4 X 509 NXR A nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR A NXR A config itinterface ethernet 0 NXR A config if itip address 192 168 10 1 24 NXR A config if itexit NXR A config itip route 192 168 20 0 24 tunnel 1 NXR A config
291. te 192 168 10 0 24 tunnel 1 NXR B config itip route 0 0 0 0 0 192 168 120 254 NXR B config itipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 NXR B config itipsec nat traversal enable restart ipsec service to take affect NXR B config itipsec local policy 1 NXR B config ipsec local ftaddress ip NXR B config ipsec local itself identity fqdn nxrb NXR _B config ipsec local exit NXR B config fipsec isakmp policy 1 NXR B config ipsec isakmp ttdescription NXR A _B config ipsec isakmp authentication pre share ipseckey B config ipsec isakmp tthash sha1 NXR _B config ipsec isakmp encryption aes128 NXR B config ipsec isakmp ttgroup 5 NXR B config ipsec isakmp ttisakmp mode aggressive NXR _B config ipsec isakmp remote address 10 10 10 1 NXR B config ipsec isakmp ttkeepalive 30 3 periodic restart NXR B config ipsec isakmp ttlocal policy 1 NXR B config ipsec isakmp ttexit NXR B config itipsec tunnel policy 1 NXR _B config ipsec tunnel description NXR A NXR B config ipsec tunnel itnegotiation mode auto NXR B config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR _B config ipsec tunnel set pfs group5 NXR _B config ipsec tunnel set key exchange isakmp 1 NXR B config ipsec tunnel ttmatch address LAN A NXR _B config ipsec tunnel exit NXR B config finterface tunnel 1 NXR B config tunnel tino ip address NXR B config tunnel tttunnel mode ipsec ipv4 NXR B config tunnel fttunnel protection ipsec
292. telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 ipsec nat traversal enable 1 ipsec local policy 1 address ip self identity fqdn nxrb 1 I ipsec isakmp policy 1 description NXR_A authentication pre share ipseckey hash shal encryption aes128 group 5 214 235 isakmp mode aggressive remote address ip 10 10 10 1 local policy 1 1 ipsec tunnel policy 1 description NXR_A set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN_A 1 I interface tunnel 1 no ip address ip tcp adjust mss auto tunnel mode ipsec ipv4 tunnel protection ipsec policy 1 1 interface ethernet 0 ip address 192 168 20 1 24 1 interface ethernet 1 ip address 192 168 120 1 24 ipsec policy 1 dns service enable 1 syslog local enable 1 1 I system led ext 0 signal level mobile 0 ip route 192 168 10 0 24 tunnel 1 ip route 0 0 0 0 0 192 168 120 254 1 E access list LAN A ip 192 168 20 0 24 192 168 10 0 24 1 1 end show config 215 235 show config 2 7 IPsec NXR A hostname NXR_A telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 1 ipsec local policy 1 address ip 1 ipsec isakmp policy 1 description NXR B authe
293. thentication rsa sig 0sAQNe9Ghb4CNEaJully67aSxECLJD HhvndH1opuMs6P8yGiTNIcGeSOQ8XEy8iYTst2bv022XUxSt37RhOR5IRiY1i83TXkQZbhnJDCNJv rt X aro745MbJ9auXT1L5tda4C54S7SELboAtU28sD3si0OwlzLWtE7yRUqLP4ZiiNMw NXR B config ipsec isakmp tthash sha1 NXR _B config ipsec isakmp encryption aes128 NXR B config ipsec isakmp ttgroup 5 NXR B config ipsec isakmpj ttlifetime 10800 NXR B config ipsec isakmp ttisakmp mode main NXR _B config ipsec isakmp remote address ip 10 10 10 1 NXR B config ipsec isakmp ttremote identity fqdn nxra NXR B config ipsec isakmp ttkeepalive 30 3 periodic restart NXR B config ipsec isakmp ttlocal policy 1 NXR B config ipsec isakmp ttexit NXR B config tipsec tunnel policy 1 NXR B config ipsec tunnel itdescription NXR A NXR B config ipsec tunnel itnegotiation mode auto NXR B config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR _B config ipsec tunnel set pfs group5 NXR _B config ipsec tunnel set sa lifetime 3600 NXR _B config ipsec tunnel set key exchange isakmp 1 NXR_B config ipsec tunnel match address LAN A NXR _B config ipsec tunnel exit NXR B config finterface tunnel 1 NXR B config tunnel tttunnel mode ipsec ipv4 NXR B config tunnel tttunnel protection ipsec policy 1 NXR B config tunnel ttip tcp adjust mss auto NXR _B config tunnel exit NXR B config itinterface ethernet 1 NXR B config if itip address 10 10 20 1 24 NXR B config if itipsec policy 1 NXR B config if itexit NXR B config itexit
294. tion authentication pre share ipseckey keepalive 30 3 periodic clear hash shal encryption aes128 group 5 isakmp mode aggressive remote address ip any remote identity fqdn nxrb local policy 1 1 I ipsec tunnel policy 1 description NXR_B negotiation mode responder set transform esp aes128 esp sha1 hmac set pfs group5 set key exchange isakmp 1 match address LAN_B 1 I interface tunnel 1 no ip address ip tcp adjust mss auto tunnel mode ipsec ipv4 tunnel protection ipsec policy 1 1 interface ppp 0 ip address 10 10 10 1 32 no ip redirects ip tcp adjust mss auto ip access group in pppO in ip masquerade ip spi filter ppp username test1 centurysys password testlpass ipsec policy 1 1 interface ethernet 0 ip address 192 168 10 1 24 Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 213 235 show config interface ethernet 1 no ip address pppoe client ppp 0 1 dns service enable 1 syslog local enable 1 1 system led ext 0 signal level mobile 0 ip route 192 168 20 0 24 tunnel 1 ip route 0 0 0 0 0 ppp 0 1 ip access list pppO in permit any 10 10 10 1 udp any 500 ip access list pppO in permit 10 10 10 1 udp any 4500 1 bsec access list LAN_B ip 192 168 10 0 24 192 168 20 0 24 1 1 end NXR B Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname NXR_B
295. tip address 192 168 10 1 24 NXR A config if itexit NXR A config itip route 192 168 20 0 24 tunnel 1 NXR A config itip route 0 0 0 0 0 ppp 0 NXR A config itip access list pppO in permit any 10 10 10 1 udp any 500 NXR A config itip access list pppO in permit any 10 10 10 1 udp 4500 NXR A config ifipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 NXR A config itipsec nat traversal enable restart ipsec service to take affect NXR A config tipsec local policy 1 NXR A config ipsec local ftaddress ip NXR A config ipsec local itexit NXR A config ifipsec isakmp policy 1 NXR A config ipsec isakmp ttdescription B NXR A config ipsec isakmp ttauthentication pre share ipseckey NXR A config ipsec isakmp tthash sha1 NXR _A config ipsec isakmp encryption aes128 NXR A config ipsec isakmp ttgroup 5 NXR A config ipsec isakmp ttlifetime 10800 NXR A config ipsec isakmp ttisakmp mode aggressive NXR A config ipsec isakmp ttremote address ip any NXR A config ipsec isakmp ttremote identity fqdn nxrb NXR A config ipsec isakmp ttkeepalive 30 3 periodic clear NXR A config ipsec isakmp ttlocal policy 1 NXR_A config ipsec isakmp exit NXR A config itipsec tunnel policy 1 NXR_A config ipsec tunnel description NXR B NXR _A config ipsec tunnel negotiation mode responder NXR _A config ipsec tunnel set transform esp aes128 esp sha1 hmac NXR _A config ipsec tunnel set pfs group5 NXR _A config ipsec tunnel set sa lifetime 3600 N
296. tip tcp adjust mss auto TCP MSS NXR config ppp no ip redirects ICMP NXR config ppp ppp username test1 centurysys PPPoE ID PPP test1 centurysys NXR config ppp ipsec policy 1 137 235 3 L2TP IPsec 3 1 L2TP IPsec IPsec 1 IPsec 15 lt ethernet1 gt NXR config itinterface ethernet 1 ethernet NXR config if itno ip address ethernet IP PPPoE IP PPP PPPoE IP NXR config i pppoe client ppp
297. tnegotiation mode auto NXR A config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR _A config ipsec tunnel set pfs group5 NXR _A config ipsec tunnel set sa lifetime 3600 NXR A config ipsec tunnel itset key exchange isakmp 1 NXR _A config ipsec tunnel match address LAN B NXR _A config ipsec tunnel exit NXR A config finterface tunnel 1 NXR A config tunnel tttunnel mode ipsec ipv4 NXR A config tunnel tttunnel protection ipsec policy 1 NXR A config tunnel ttip tcp adjust mss auto NXR _A config tunnel exit NXR A config itinterface ethernet 1 NXR A config if itip address 10 10 10 1 24 NXR A config if itipsec policy 1 NXR A config if itexit NXR A config itexit NXR_A save config 95 235 2 Route Based IPsec 2 4 X 509 NXR B nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR B NXR B config itinterface ethernet 0 NXR B config if itip address 192 168 20 1 24 NXR B config if itexit NXR B config itip route 192 168 10 0 24 tunnel 1 NXR B config itip route 0 0 0 0 0 10 10 20 254 B config itipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 NXR B config itipsec x509 enable B config itipsec x509 ca certificate nxr ftp 192 168 20 10 nxrCA pem NXR B config itipsec x509 crl nxr ftp 192 168 20 10 nxrCRL pem NXR B c
298. warding enable 1 ipsec x509 enable ipsec x509 ca certificate nxr ipsec x509 certificate nxrb ipsec x509 private key nxrb key ipsec x509 private key nxrb password nxrbpass ipsec x509 crl nxr 1 ipsec local policy 1 address ip self identity dn C JP CN nxrb E nxrb example com x509 certificate nxrb 1 1 ipsec isakmp policy 1 description NXR_A authentication rsa sig hash sha1 encryption aes128 group 5 isakmp mode main remote address ip 10 10 10 1 remote identity dn C JP CN nxra E nxra example com local policy 1 1 1 ipsec tunnel policy 1 description NXR_A set transform esp aes128 esp sha1 hmac 186 235 set pfs group5 set key exchange isakmp 1 match address LAN A 1 I interface ethernet 0 ip address 192 168 20 1 24 1 interface ethernet 1 ip address 10 10 20 1 24 ipsec policy 1 1 dns service enable 1 syslog local enable 1 1 system led ext 0 signal level mobile 0 ip route 0 0 0 0 0 10 10 20 254 I ipsec access list LAN_A ip 192 168 20 0 24 192 168 10 0 24 1 1 end zo AE show config 187 235 show config 1 5 PPPoE IPsec NXR A Century Systems NXR 120 Series ver 5 22 2 build 29 16 42 01 02 2013 1 hostname _ telnet server enable http server enable ipv6 forwarding no fast forwarding enable 1 1 ipsec l
299. xit NXR_A save config 19 235 1 Policy Based IPsec 1 2 IP AggressiveMode NXR B nxr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR B NXR B config itinterface ethernet 0 NXR B config if itip address 192 168 20 1 24 NXR B config if itexit NXR B config itipsec access list LAN A ip 192 168 20 0 24 192 168 10 0 24 NXR B config itipsec local policy 1 NXR B config ipsec local ftaddress ip NXR B config ipsec local ttself identity fqdn nxrb NXR B config ipsec local ttexit NXR B config fipsec isakmp policy 1 NXR _B config ipsec isakmp description NXR A _B config ipsec isakmp authentication pre share ipseckey NXR B config ipsec isakmp tthash sha1 NXR _B config ipsec isakmp encryption aes128 NXR B config ipsec isakmp ttgroup 5 NXR B config ipsec isakmp ttisakmp mode aggressive NXR B config ipsec isakmp itremote address 10 10 10 1 NXR B config ipsec isakmp ttkeepalive 30 3 periodic restart NXR B config ipsec isakmp ttlocal policy 1 NXR B config ipsec isakmp ttexit NXR B config itipsec tunnel policy 1 NXR B config ipsec tunnel itdescription NXR A NXR B config ipsec tunnel itnegotiation mode auto NXR B config ipsec tunnel itset transform esp aes128 esp sha1 hmac NXR _B config ipsec tunnel set pfs group5 NXR _B config ipsec tunnel set key exchange
300. xr120 configure terminal Enter configuration commands one per line End with CNTL Z nxr120 config hostname NXR A NXR A config itinterface ethernet 0 NXR A config if itip address 192 168 10 1 24 NXR A config if itexit NXR A config itip route 0 0 0 0 0 10 10 10 254 NXR A config ifipsec access list LAN B ip 192 168 10 0 24 192 168 20 0 24 NXR A config itipsec x509 enable NXR A config itipsec x509 ca certificate nxr ftp 192 168 10 10 nxrCA pem NXR A config itipsec x509 crl nxr ftp 192 168 10 10 nxrCRL pem NXR A config itipsec x509 certificate nxra ftp 192 168 10 10 nxraCert pem NXR_A config ipsec x509 private key nxra key ftp 192 168 10 10 nxraKey pem NXR A config itipsec x509 private key nxra password nxrapass NXR A config itipsec local policy 1 NXR A config ipsec local ftaddress ip NXR A config ipsec local itx509 certificate nxra NXR A config ipsec local itself identity dn C JP CN nxra E nxra example com NXR A config ipsec local itexit NXR A config fipsec isakmp policy 1 NXR A config ipsec isakmp ttdescription B NXR _A config ipsec isakmp authentication rsa sig NXR A config ipsec isakmp tthash sha1 NXR _A config ipsec isakmp encryption aes128 NXR A config ipsec isakmp ttgroup 5 NXR A config ipsec isakmp ttlifetime 10800 NXR A config ipsec isakmp ttisakmp mode main NXR _A config ipsec isakmp remote address 10 10 20 1 NXR A config ipsec isakmp itremote identity dn C JP CN nxrb E nxrb example com NXR A
Download Pdf Manuals
Related Search