Task 1Prepare to Configure VPN Support

Step 1. Determining the IKE (IKE phase one) policy

Step 2. Determining the IPSec (IKE phase two) policy

Step 3. Ensuring that the network works without encryption

Step 4. Implicitly permitting IPSec packets to bypass PIX Firewall access lists, access groups, and conduits

©2000, Cisco Systems.

CSPFA 1.01-7-10

Configuring IPSec encryption can be complicated. You must plan in advance if you want to configure IPSec encryption correctly the first time and minimize misconfiguration. You should begin this task by defining the overall security needs and strategy based on the overall company security policy. Some planning steps include the following:

Step 1 Determining the IKE (IKE phase one) policy—Determine the IKE policies between peers based on the number and location of IPSec peers.

Step 2 Determining the IPSec (IKE phase two) policy—You will need to identify IPSec peer details such as IP addresses and IPSec modes. You then configure crypto maps to gather all IPSec policy details together.

Step 3 Ensuring that the network works without encryption (no excuses!)—Ensure that basic connectivity has been achieved between IPSec peers using the desired IP services before configuring PIX Firewall IPSec.

Step 4 Implicitly permitting IPSec packets to bypass PIX access lists, access groups and conduits. In this step you will must enter the sysopt connection permit-ipsec command.

Planning includes the following steps:

Identify IKE phase one policies for peers.

Determine key distribution methods.

Identify IPSec peer PIX Firewall IP addresses and hostnames.

Goal: Minimize misconfiguration ik

©2000, Cisco Systems, Inc. WWW.CisCo.Com CSPFA 1.01-7-11

Planning includes the following steps:

Identify IKE phase one policies for peers.

Determine key distribution methods.

Identify IPSec peer PIX Firewall IP addresses and hostnames.

Goal: Minimize misconfiguration ik

©2000, Cisco Systems, Inc. WWW.CisCo.Com CSPFA 1.01-7-11

An IKE policy defines a combination of security parameters to be used during the

IKE negotiation. You should determine the IKE policy, then configure it. Some planning steps include:

■ Determining IKE phase one (ISAKMP) policies for peers—An IKE policy defines a combination of security parameters to be used during the IKE negotiation. Each IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. The IKE policy suites must be determined in advance of configuration.

■ Determining key distribution methods based on the numbers and locations of IPSec peers—You may wish to use a CA server to support scalability of IPSec peers. You must then configure IKE to support the selected key distribution method.

■ Identifying IPSec peer router IP addresses and hostnames—You will need to determine the details of all of the IPSec peers that will use IKE for establishing SAs.

The goal of advance planning is to minimize misconfiguration.

0 0

Post a comment