The steps and related commands are summarized in the following task list:
Task 1 Prepare for IKE and IPSec
-
Step 1–1 Plan for CA support
-
Step 1–2 Determine the IKE (IKE phase one) policies
-
Step 1–3 Determine the IPSec (IKE phase two) policies
-
Step 1–4 Check the current configuration
show running-configuration
show isakmp [policy]
show crypto map
-
Step 1–5 Ensure the network works without encryption
ping
-
Step 1–6 Ensure access control lists are compatible with
IPSec
show access-lists
Task 2 Configure CA support
-
Step 2–1 Manage the NVRAM memory usage (Optional)
crypto ca certificate query
-
Step 2–2 Set the router’s time and date
ntp broadcast client
sntp broadcast client
clock set
-
Step 2–3 Configure the router’s host name and domain
name
hostname
ip domain-name
ip host
-
Step 2–4 Generate an RSA key pair
crypto key generate rsa
-
Step 2–5 Declare a CA
crypto ca identity
enrollment url
query url
crl optional
enrollment mode ra
enrollment retry count
enrollment retry period
-
Step 2–6 Authenticate the CA
crypto ca authenticate
-
Step 2–7 Request your own certificate
crypto ca enroll
-
Step 2–8 Save the configuration
copy running-config startup-config
-
Step 2–9 Monitor and maintain CA interoperability
(Optional)
Request a CRL
crypto ca crl request
Delete your router’s RSA keys:
crypto key zeroize rsa
Delete both public and private certificates from the
configuration:
no certificate certificate-serial-numberno crypto ca identity
Delete peer’s public keys:
no named-key key-nameno
addressed-key key-address
-
Step 2–10 Verify the CA support configuration
show crypto ca certificates
show crypto key mypubkey rsa
show crypto key pubkey-chain rsa
Task 3 Configure IKE
-
Step 3–1 Enable or disable IKE
crypto isakmp enable
-
Step 3–2 Create IKE policies
crypto isakmp policy
authentication
encryption
hash
group
lifetime
-
Step 3–3 Configure preshared keys
crypto isakmp key
-
Step 3–4 Verify the IKE configuration
show crypto isakmp policy
Task 4 Configure IPSec
-
Step 4–1 Configure transform set suites
crypto ipsec transform-set
-
Step 4–2 Configure global IPSec security association
lifetimes
crypto ipsec security-association lifetime
-
Step 4–3 Configure crypto ACLs
access-list
-
Step 4–4 Configure crypto maps
crypto map
-
Step 4–5 Apply the crypto maps to the interface
interface
crypto map
Task 5 Test and verify IPSec
-
Step 5–1 Display the configured IKE policies
show crypto isakmp policy
-
Step 5–2 Display the configured transform sets
show crypto ipsec transform set
-
Step 5–3 Display the current state of the IPSec SAs
show crypto ipsec sa
-
Step 5–4 Display the configured crypto maps
show crypto map
-
Step 5–5 Debug IKE events
debug crypto isakmp
-
Step 5–6 Debug IPSec events
debug crypto ipsec
Sections
Comments (0 posted)
Syndication
