Configure
IPSec Encryption Tasks
The good news is only four tasks are required to configure
IPSec for preshared keys. The bad news is each task has multiple tasks that can
initially seem overwhelming. The four tasks Cisco uses, which you can expect on
the exam, are as follows:
Don’t make this more complicated than necessary. Task 1 is nothing
more than making sure you’ve tested the existing network and gathered the
information you need for Tasks 2 and 3. Task 2 is configuring for IKE Phase 1,
while Task 3 is configuring for IKE Phase 2. Finally, Task 4 is checking your
work.
The following task list shows the four tasks broken down into
their individual steps. The steps are numbered to include the task number, as
well as to help keep them straight. These steps are repeated in the chapter
summary with the key commands listed for each step.
Figure 10-1 shows the networks that provide an
example scenario used throughout this chapter. The goal is to create a secure
VPN tunnel between Rtr1 at the company main office, and Rtr2 at one of almost
100 branch offices in North America, Europe, and Africa. The assumption is this:
the main office has reserved networks 192.168.0.0 through 192.168.127.0 for
itself and will use one class C for each branch in the remaining 192.168.128.0
to 192.168.255.0 addresses.
Task 1 Prepare for IKE and IPSec
-
Step 1-1 Identify IPSec peers
-
Step 1-2 Determine the IKE (IKE Phase 1) policies
-
Step 1-3 Determine the IPSec (IKE Phase 2) policies
-
Step 1-4 Check the current configuration
-
Step 1-5 Ensure the network works without encryption
-
Step 1-6 Ensure access control lists are compatible with
IPSec
Task 2 Configure IKE
-
Step 2-1 Enable or disable IKE
-
Step 2-2 Create IKE policies
-
Step 2-3 Configure preshared keys
-
Step 2-4 Verify the IKE configuration
Task 3 Configure IPSec
-
Step 3-1 Configure transform set suites
-
Step 3-2 Configure global IPSec security association
lifetimes
-
Step 3-3 Configure crypto ACLs
-
Step 3-4 Configure crypto maps
-
Step 3-5 Apply the crypto maps to the interface
Task 4 Test and verify IPSec
-
Step 4-1 Display the configured IKE policies
-
Step 4-2 Display the configured transform sets
-
Step 4-3 Display the current state of the IPSec SAs
-
Step 4-4 Display the configured crypto maps
-
Step 4-5 Debug IKE events
-
Step 4-6 Debug IPSec events
The example uses private addresses to avoid using public addresses
that might belong to others and to make it easier for those who choose to try to
create the configuration in a test lab.
Sections
Comments (0 posted)
Syndication
