Configure a Cisco Router for IPsec Using Preshared Keys

Several tasks and subtasks are required to configure the router for an IPsec VPN using preshared keys:

1. Select the IKE and IPsec parameters.

a. Define the IKE (Phase 1) policy.

b. Define the key distribution method.

i. Manual key distribution ii. ISAKMP

c. Define the authentication method.

i. Preshared secret ii. RSA signatures iii. RSA nonces

Identify the IKE SA peer by IP address or host name. Define the IKE Phase 1 policy.

i. Encryption algorithm (DES, 3DES)

ii. Hash algorithm (SHA-1, MD5)

iii. IKE SA lifetime

2. Define the IPsec policies.

a. Select the IPsec protocol (AH, ESP).

b. Configure transforms and transform sets.

c. Define the IPsec peer by host name or IP address.

d. Define local hosts/networks.

e. Select SA initiation type (manual, IKE).

3. Verify the current router configuration (show running-configuration).

a. Verify connectivity.

b. Ping through to the peer.

c. Ensure compatible access lists.

d. Verify you are not blocking protocol 50/51 or UDP 500.

4. Configure IKE.

a. Enable IKE.

b. Create policies (per plan listed previously).

c. Validate the configuration.

5. Configure IPsec.

a. Define transforms.

b. Create the crypto ACLs.

c. Create the crypto maps.

d. Apply the crypto maps.

0 0

Post a comment