Configure IPSec Encryption Tasks
Docsity.com
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Guidelines and tips
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Configure IPSec Encryption Tasks - Computer Network - Lecture Slides, Slides of Computer Networks
Configure IPSec Encryption Tasks, Prepare for IKE and IPSec, Configure IKE, Configure IPSec, Test and Verify IPSec, Minimize misconfiguration, IKE Policy, Determine IPSec and many other topics of Computer Network can be find in my documents.
Typology: Slides
2011/2012
1 / 59
This page cannot be seen from the preview
Don't miss anything!
Related documents
Partial preview of the text
Download Configure IPSec Encryption Tasks - Computer Network - Lecture Slides and more Slides Computer Networks in PDF only on Docsity!
Configure IPSec Encryption Tasks
Task 1—Prepare for IKE and IPSec.Task 2—Configure IKE.Task 3—Configure IPSec.Task 4—Test and Verify IPSec.
Tasks to Configure IPSec Encryption
Steps to Complete
Task 1—Prepare for IPSec
Step 1—Determine IKE (IKE phase one) policy.Step 2—Determine IPSec (IKE phase two) policy.Step 3—Check the current configuration.
show running-configurationshow crypto isakmp
policy
show crypto map
Step 4—Ensure the network works without encryption.
ping
Step 5—Ensure access lists are compatible with IPSec.
show access-lists
Determine the following policy details:
Key distribution method
Authentication method
IPSec peer IP addresses and hostnames
IKE phase 1 policies for all peers
Encryption algorithm
Hash algorithm
IKE SA lifetimeGoal: Minimize misconfiguration
Step 1—Determine IKE
(IKE Phase One) Policy
IKE Policy Example
E0/1 172.30.1.
Site 1
Site 2
E0/1 172.30.2.
A
B
10.0.1.
10.0.2.
Internet
RouterA
RouterB
Encryption AlgorithmHash AlgorithmAuthentication MethodIKE SA Lifetime
Site 1
DES 86400 seconds MD
Site 2
DES
MD
Pre-shared keys
Parameter
768-bit D-H
Key Exchange
Pre-shared keys768-bit D-H86400 seconds
Peer IP Address
172.30.2.
172.30.1.
Determine the following policy details:
IPSec algorithms and parameters foroptimal security and performance
Transforms and, if necessary, transformsets
IPSec peer details
IP address and applications of hosts to beprotected
Manual or IKE-initiated SAs
Goal: Minimize misconfiguration
Step 2—Determine IPSec
(IKE Phase Two) Policy
IPSec Policy Example
Peer IP addressTraffic (packet) typeto be encrypted
Site 1 TCP
Site 2 TCP
Transform set
ESP-DES, Tunnel
ESP-DES, Tunnel
Policy SA establishment
ipsec-isakmp
ipsec-isakmp
Peer hostname
RouterB
RouterA
172.30.2.
172.30.1.
Hosts to be encrypted
10.0.1.
10.0.2.
E0/1 172.30.1.
Site 1
Site 2
E0/1 172.30.2.
A
B
10.0.1.
10.0.2.
Internet
RouterA
RouterB
Identify IPSec Peers
Cisco Router
Remote user with
Cisco Secure
VPN Client
Other vendor’s
IPSec peers
Cisco Routers
Cisco Secure
PIX Firewall
CA server
Step 3—Check Current Configuration
(cont.)
show crypto map •
View any configured crypto maps.
router#
router# show crypto mapCrypto Map "mymap" 10 ipsec-isakmp
Peer = 172.30.2.2Extended IP access list 102
access-list 102 permit ip host 172.30.1.2 host 172.30.2.
Current peer: 172.30.2.2Security association lifetime: 4608000 kilobytes/3600 secondsPFS (Y/N): N
Transform sets={ mine, }
Step 3—Check Current Configuration
(cont.)
show crypto ipsec transform-set
View any configured transform sets.
router# router# show crypto ipsec transform-set
mine
Transform set mine: { esp-des
will negotiate = { Tunnel,
Step 5—Ensure Access Lists Are
Compatible with IPSec
routerA# show access-listsaccess-list
102 permit ahp
host
172.30.2.
host
172.30.1.
access-list
102 permit esp host
172.30.2.
host
172.30.1.
access-list
102 permit udp host
172.30.2.
host
172.30.1.
eq
isakmp
IKE
AH
ESP
Ensure protocols 50 and 51, and UDP port 500 traffic arenot blocked at interfaces used by IPSec.
E0/1 172.30.1.
Site 1
Site 2
E0/1 172.30.2.
A
B
10.0.1.
10.0.2.
Internet
RouterA
RouterB
Task 2—Configure IKE
Step 1—Enable or Disable IKE
router(config)# no crypto isakmp enablerouter(config)# crypto isakmp enable
Globally enables or disables IKE at your router.
IKE is enabled by default.
IKE is enabled globally for all interfaces at the router.
Use the
no
form of the command to disable IKE.
An ACL can be used to block IKE on a particular interface. router(config)#
[no] crypto isakmp enable
Step 2—Create IKE Policies
crypto
isakmp
policy
priority
Defines an IKE policy, which is a set ofparameters used during IKE negotiation
Invokes the config-isakmp command mode
router(config)#
router(config)#
crypto
isakmp
policy