VPNTypes
Remote-access Client-initiated
Intranet
Extranet
Tunneling Protocols
VPN Protocols
Tunnel Encryption and decryption Cryptosystem Hashing Authentication Authorization Key management CA certification authority service
AH: Authentication Header ESP: Encapsulating Security Payload IKE: Internet Key Exchange ISAKMP: Internet Security Association and Key Management Protocol SA: Security association
Cryptosystem Overview
Cryptosystem Overview
Cryptosystem Overview
Cryptosystem Overview
Symmetric Encryption
Asymmetric Encryption
Hashing
IPSec Technologies
Security Association
Task 1 Prepare for IKE and IPSEC Step 1: Determine IKE (IKE phase 1) policy Step 2: Determine IPSec (IKE phase 2) policy Step 3: Check the current configuration Step 4: Ensure that the network works without encryption Step 5: Ensure that access lists are compatible with IPSec Task 2 Configure IKE Step 1: Enable or disable IKE Step 2: Create IKE policies Step 3: Configure ISAKMP identity Step 4: Configure preshared keys Step 5: Verify IKE configuration
Determine the following policy details: Key distribution method Authentication method IPSec peer IP addresses and hostnames IKE phase 1 policies for all peers Encryption algorithm Hash algorithm IKE SA lifetime Goal: Minimize misconfiguration
Determine the following policy details: IPSec algorithms and parameters for optimal security and performance Transforms and, if necessary, transform sets IPSec peer details IP address and applications of hosts to be protected Manual or IKE-initiated SAs Goal: Minimize misconfiguration
Task 1 Prepare for IKE and IPSEC Task 2 Configure IKE Step 1Enable or disable IKE. crypto isakmp enable Step 2Create IKE policies. crypto isakmp policy Step 3Configure ISAKMP crypto isakmp identity Step 4Configure pre-shared keys. crypto isakmp key Step 5Verify the IKE configuration. show crypto isakmp policy Task 3 Configure IPSec Task 4 Test and Verify IPSEC
Task 1 Prepare for IKE and IPSEC Task 2 Configure IKE Task 3 Configure IPSec Step 1Configure transform set suites crypto ipsec transform-set Step 2Configure global IPSec SA lifetimes crypto ipsec security-association lifetime Step 3Create crypto ACLs using extended access lists crypto map Step 4Configure IPSec crypto maps Step 5Apply crypto maps to interfaces crypto map map-name Task 4 Test and Verify IPSEC
Crypto maps pull together the various parts configured for IPSec, including
The traffic to be protected by IPSec and a set of SAs The local address to be used for the IPSec traffic
Task 1 Prepare for IKE and IPSEC Task 2 Configure IKE Task 3 Configure IPSec Task 4 Test and Verify IPSEC Display your configured IKE policies. show crypto isakmp policy (show isakmp policy on a PIX) Display your configured transform sets. show crypto ipsec transform set Display Phase I security associations show crypto isakmp sa (show isakmp sa on a PIX) Display the current state of your IPSec SAs. show crypto ipsec sa Display your configured crypto maps. show crypto map Enable debug output for IPSec events. debug crypto ipsec Enable debug output for ISAKMP events. debug crypto isakmp
clear commands
debug crypto