Enable Or Disable Ike; Set Global Lifetimes For Ipsec Security Associations; Define Transform Sets; Create Client Related Mode Configuration (Remote Access Vpn) - Motorola WS5100 Series Migration Giude

4. Click Ok to return to the
5. Click Apply to save the new pre-shared key.
6. You must then set up the pre-shared key of test12345 on the client. Refer to the client's documentation
for information on adding an IKE Pre-shared key.

3.4.3.3 Enable or Disable IKE

IKE is enabled by default. IKE does not have to be enabled for individual interfaces, but is enabled globally
for all interfaces at the switch.
For this example we will leave IKE enabled.
NOTE: The following information is not needed to complete the IPSec VPN use case
outlined above, but contains additional information on IPSec VPN configuration that may
be useful in your implementation.

3.4.4 Set Global Lifetimes for IPSec Security Associations

You can change the global lifetime values which are used when negotiating new IPSec security associations.
(These global lifetime values can be overridden for a particular crypto map entry).
These lifetimes only apply to security associations established via IKE. Manually established security
associations do not expire.
There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. A security association expires
after the first of these lifetimes is reached. The default lifetimes are 3600 seconds (one hour) and 4,608,000
kilobytes (10 megabytes per second for one hour).
If you change a global lifetime, the new lifetime value will not be applied to currently existing security
associations, but will be used in the negotiation of subsequently established security associations. If you
wish to use the new values immediately, you can clear all or part of the security association database.

3.4.5 Define Transform Sets

A transform set represents a certain combination of security protocols and algorithms. During the IPSec
security association negotiation, the peers agree to use a particular transform set for protecting data flow.
With manually established security associations, there is no negotiation with the peer, so both sides must
specify the same transform set. If you change a transform set definition, the change is only applied to crypto
map entries that reference the transform set. The change will not be applied to existing security
associations, but will be used in subsequent negotiations to establish new security associations. If you want
the new settings to take effect sooner, you can clear all or part of the security association database by using
the clear crypto sa command.

3.4.6 Create Client Related Mode Configuration (Remote Access VPN)

When the client initiates a connection with the VPN server on our switch, the "conversation" that occurs
between the peers consists of device authentication via Internet Key Exchange (IKE), followed by user
authentication using IKE Extended Authentication (Xauth), push client relate configuration (using Mode
Configuration), and IPsec security association (SA) creation.
An overview of this process is as follows:
1. The client attempts to establish an IKE SA between its public IP address and the public IP address of the
switch where the VPN server is running.
Configuration screen.
3-23
Use Cases