IKE Creation and IPSec Security Policy

This topic identifies the steps for creating an IKE and IPSec security policy.

Task 1

—Prepare for IKE and IPSec

Task 1 -

Prepare for IKE and IPSec

Step 1—Determine IKE (IKE Phase 1) policy.

Step 2—Determine IPSec (IKE Phase 2) policy.

Step 3—Check the current configuration.

show running-configuration

show crypto isakmp policy

show crypto map

Step 4—Ensure the network works without encryption.

ping

Step 5—Ensure access lists are compatible with IPSec.

show access-lists

Task 2 -

Configure IKE

Task 3 -

Configure IPSec

Task 4 -

Test and Verify IPSec

© 2004 Cisco Systems, Inc. All rights

esenved. bcran v2.1—5-2

Configuring IPSec encryption can be complicated. You must plan in advance if you desire to configure IPSec encryption correctly the first time and minimize misconfiguration. You should begin this task by defining the IPSec security policy based on the overall company security policy. Some planning steps are as follows:

Step 1 Determine IKE (IKE Phase 1) policy: Determine the IKE policies between IPSec peers based on the number and location of the peers.

Step 2 Determine IPSec (IKE Phase 2) policy: Identify IPSec peer details such as IP

addresses, IPSec transform sets, and IPSec modes. Then configure crypto maps to gather all IPSec policy details together.

Step 3 Check the current configuration: Use the show running-configuration, show isakmp [policy], and show crypto map commands, and many other show commands to check the current configuration of the router. This is covered later in this lesson.

Step 4 Ensure the network works without encryption (no excuses!): Ensure that basic connectivity has been achieved between IPSec peers using the desired IP services before configuring IPSec. You can use the ping command to check basic connectivity.

Step 5 Ensure that access control lists (ACLs) are compatible with IPSec: Ensure that perimeter routers and the IPSec peer router interfaces permit IPSec traffic. In this step you need to enter the show access-lists command.

0 0

Post a comment