You are on page 1of 3

Cisco SAN-OS VPN Configuration

Scenario 1: Storage-to-Router with preshared secrets The following is a typical storage-to-router VPN that uses a preshared secret for authentication. | |-+------------+ /-^-^-^-^--\ +-----------+ | | MDS System |=====| Internet |=====| Gateway B |-----| +------------+ \--v-v-v-v-/ BW+-----------+BL | |-| MDS System is connected to Gateway B through Internet. MDS System's WAN (Internet) interface has the address Gateway B connects the internal LAN to the Internet. Gateway B's WAN (Internet) interface has the address Gateway B's LAN interface address,, can be used for testing IPsec but is not needed for configuring MDS System. The IKE Phase 1 parameters used in Scenario 1 are: * * * * * * Main mode TripleDES SHA-1 MODP group 2 (1024 bits) pre-shared secret of "hr5xb84l6aa9r6" SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying

The IKE Phase 2 parameters used in Scenario 1 are: * * * * * * * TripleDES SHA-1 ESP tunnel mode MODP group 2 (1024 bits) Perfect forward secrecy for rekeying SA lifetime of 3600 seconds (one hour) with no kbytes rekeying Selectors for all IP protocols, all ports, between and, using IPv4 subnets

To set up MDS System for this scenario, use the following steps: Cisco SAN-OS 2.0(1) which supports IPSec on a "2x1GE IPS, 14x1/2Gbps FC Module/Supervisor". All configuration changes are volatile, and immediate, until the "copy running-config startup-config" command is executed, when the configuration is saved to flash and will be reloaded after a reboot. At any time, you may examine the running configuration with the command "show running-configuration", or view the saved configuration with

the command "show startup-config". Most commands can be abbreviated. Use a ? at the prompt or in a command to see options. To configure IPSec for the scenario shown in above figure, follow these steps: Enable IKE and IPSec in MDS System. MDS# config term MDS(config)# crypto ike enable MDS(config)# crypto ipsec enable Configure IKE in MDS System. MDS(config)# crypto ike domain ipsec MDS(config-ike-ipsec)# key hr5xb84l6aa9r6 address MDS(config-ike-ipsec)# initiator version 1 address MDS(config-ike-ipsec)# policy 1 MDS(config-ike-ipsec-policy)# encryption 3des MDS(config-ike-ipsec-policy)# hash sha MDS(config-ike-ipsec-policy)# group 2 MDS(config-ike-ipsec-policy)# lifetime seconds 28800 MDS(config-ike-ipsec-policy)# end MDS# Configure the ACL in MDS System. MDS# conf t MDS(config)# ip access-list acl1 permit ip Configure the transform set in MDS System. MDS(config)# crypto transform-set domain ipsec tfs-02 esp-3des esp-sha1-hmac Configure the crypto map in MDS System. MDS(config)# crypto map domain ipsec cmap-01 1 MDS(config-crypto-map-ip)# match address acl1 MDS(config-crypto-map-ip)# set peer MDS(config-crypto-map-ip)# set transform-set tfs-02 MDS(config-crypto-map-ip)# set security-association lifetime seconds 3600 MDS(config-crypto-map-ip)# set pfs group2 MDS(config-crypto-map-ip)# end MDS# Bind the interface to the crypto map set in MDS System. (2x1GE IPS, 14x1/2Gbps FC Module is in slot7 of MDS A and GigE 7/1 is connected to Internet) MDS# conf t MDS(config)# int gigabitethernet 7/1 MDS(config-if)# ip addr MDS(config-if)# crypto map domain ipsec cmap-01 MDS(config-if)# no shut MDS(config-if)# exit MDS(config)# Configure route in MDS System. MDS(config)# MDS(config)# ip route MDS(config)# exit MDS# Verify the configuration in MDS System. MDS# show crypto global domain ipsec security-association lifetime Security Association Lifetime: 450 gigabytes/3600 seconds

MDS# show crypto map domain ipsec Crypto Map cmap-01 1 ipsec Peer = IP ACL = acl1 permit ip Transform-sets: tfs-02, Security Association Lifetime: 450 gigabytes/3600 seconds PFS (Y/N): Y PFS Group: group2 Interface using crypto map set cmap-01: GigabitEthernet7/1 MDS# show crypto transform-set domain ipsec Transform set: tfs-02 {esp-3des esp-sha1-hmac} will negotiate {tunnel} MDS# show crypto spd domain ipsec Policy Database for interface: GigabitEthernet7/1, direction: Both # 0: deny udp any port eq 500 any # 1: deny udp any any port eq 500 # 2: permit ip # 127: deny ip any any MDS# show crypto sad domain ipsec interface: GigabitEthernet7/1 Crypto map tag: cmap-01, local addr. protected network: local ident (addr/mask): ( remote ident (addr/mask): ( current_peer: local crypto endpt.:, remote crypto endpt.: mode: tunnel, crypto algo: esp-3des, auth algo: esp-sha1-hmac tunnel id is: 1 current outbound spi: 0x900b01e (151040030), index: 0 lifetimes in seconds:: 3600 lifetimes in bytes:: 4718592000 current inbound spi: 0x38fe700e (956198926), index: 0 lifetimes in seconds:: 3600 lifetimes in bytes:: 4718592000 MDS# show crypto ike domain ipsec key key hr5xb84l6aa9r6 address MDS# show crypto ike domain ipsec policy Priority 1, auth pre-shared, lifetime 28800 secs, encryption 3des, hash sha, DH group 2 MDS# show crypto ike domain ipsec sa Tunn Local Addr Remote Addr Encr Hash Auth Method Lifetime ------------------------------------------------------------------------------1*[500][500] 3des sha preshared key 28800 ------------------------------------------------------------------------------NOTE: tunnel id ended with * indicates an IKEv1 tunnel