Tunnel IPSEC
U
SER
G
UIDE
241
set ipsec phase1 MAIN exchange-mode main
set ipsec phase1 MAIN local-end eth0
set ipsec phase1 MAIN remote-end 10.10.100.39
set ipsec phase1 MAIN encryption-algorithm 3des
set ipsec phase1 MAIN hash-algorithm sha1
set ipsec phase1 MAIN dh-group 2
set ipsec phase1 MAIN authentication-method pre_shared_key
set ipsec phase2 ACL_1 match-phase1 MAIN
set ipsec phase2 ACL_1 encryption-algotithm 3des
set ipsec phase2 ACL_1 authentication-algorithm hmac_md5
set ipsec phase2 ACL_1 pfs-group 2
set ipsec phase2 ACL_1 mode tunnel
set ipsec phase2 ACL_1 security esp
set ipsec phase2 ACL_1 level unique
set ipsec phase2 ACL_1 local-subnet 192.168.1.0/24
set ipsec phase2 ACL_1 remote-subnet 192.168.100.0/24
set ipsec phase2 ACL_2 match-phase1 MAIN
set ipsec phase2 ACL_2 encryption-algotithm 3des
set ipsec phase2 ACL_2 authentication-algorithm hmac_md5
set ipsec phase2 ACL_2 pfs-group 2
set ipsec phase2 ACL_2 mode tunnel
set ipsec phase2 ACL_2 security esp
set ipsec phase2 ACL_2 level unique
set ipsec phase2 ACL_2 local-subnet 192.168.2.0/24
set ipsec phase2 ACL_2 local-subnet 192.168.100.0/24
set ipsec pre-shared-key 10.10.100.39 tiesseadm
set ipsec on
The password for the authentication on the VPN (
pre-shared key
)is specified by commands like:
set ipsec pre-shared-key 10.10.100.39 tiesseadm
This command is suitable to specify both classical definitions for IP/password and user/password
authentication, suitable to specify Group authentication or Xauth (Extended Authentication).
For example:
set ipsec pre-shared-key 10.10.100.39 tiesseadm
set ipsec pre-shared-key EASY_VPN tiesseadm
It will follow a simple example to show the advantages introduced by having the Phase I and Phase
II sections labeled in a suitable mode; in the example two simultaneous IPSec VPN's towards two
different endings are instantiated and it's clear how each Phase II has its own indissoluble
correspondence with the right Phase I:
set ipsec phase1 NewYork_Plant exchange-mode main