Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : CCSP-Cisco Certified Security Professional : Step 1-3 Determine the IPSec (IKE Phase 2) Policies

Step 1-3 Determine the IPSec (IKE Phase 2) Policies

Sep 27,2009 by alperen

small font medium font large font
image

Step 1-3 Determine the IPSec (IKE Phase 2) Policies

Once the choices are made for IKE Phase 1, it’s time to turn to those parameters required to complete IKE Phase 1. This is where the IPSec tunnel is negotiated and, ultimately, the IPSec SAs established. As in Phase 1, the goal is to define one or more sets of IPSec security parameters defining the IPSec security policy, based on the overall company security policy.

The information gathered is required in Task 3 when IPSec is configured. To facilitate that process, gather the following information into a table similar to the one developed for Phase 1 for each peer for which sessions will be established.

Transforms (or transform sets)

IPSec transforms or build transform sets, plus the VPN mode to provide the optimal security and performance balance

Peer address

Peer IP address for this session

Peer host name

What is the peer host name for this session?

IP address to protect

Which source hosts are to be protected for this session?

Traffic to protect

What applications should be protected for this session?

SA establishment method

Will SAs be manually established or established via IKE?

Most of the choices to be configured, such as peer address and host name, are straight-forward. The transforms or, if necessary, the transform sets, involve determining the security features required, and then striking a balance between security level and performance implications. Chapter 9 introduced Transforms and Task 3, later in this chapter, looks at configuring them.

The following table might represent the IPSec values for the chapter scenario:

Parameter

Site 1

Site 2

Transform (set)

esp-des, tunnel

esp-des, tunnel

Peer host name

Rtr2

Rtr1

Peer IP address

10.0.50.2

10.0.1.21

Hosts to be encrypted

192.168.0.0/25

192.168.30.0/24

Traffic to be encrypted

TCP

TCP

SA establishment

ipsec-isakmp

ipsec-isakmp


601 times read

Related news
» Step 3-1 Configure Transform Set Suites
by alperen posted on Sep 27,2009
» Transform Sets
by alperen posted on Sep 24,2009
» Step 3—IKE Phase Two
by alperen posted on Sep 25,2009
» IKE SAs versus IPSec SAs
by alperen posted on Sep 25,2009
» Step 2—IKE Phase One
by alperen posted on Sep 25,2009
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

admin

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.