Step 1-4 Check the Current Configuration
Step 1-4 Check the Current Configuration
It’s important to check the current Cisco router
configuration to see if any existing IPSec policies are configured that could be
useful for, or interfere with, the new IPSec policies. If appropriate,
previously configured IKE and IPSec policies can be used to save configuration
time. This section looks at three commands useful in discovering existing IKE
and IPSec policies.
The show running-config Command
The basic show running-config command is
always a good starting point. In the following partial output, the lines in
boldface are the IKE and IPSec configuration statements.
Rtr2#show run
!
hostname Rtr2
!
enable secret 5 $1$ojfF$eAp7xa0hU4E678XaibAQa
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key test_key1 address 10.0.1.21
!
crypto ipsec transform-set trans1 esp-3des
crypto ipsec transform-set trans2 ah-md5-hmac esp-des
crypto ipsec transform-set trans3 esp-sha-hmac esp-null
!
crypto map test_map1 1 ipsec-isakmp
set peer 10.0.1.21
set security-association lifetime seconds 43200
set transform-set trans1 trans2 trans3
match address 101
!
interface Ethernet0
ip address 192.168.130.1 255.255.255.0
no mop enabled
!
interface Serial0
ip address 10.0.50.2 255.255.255.252
no ip mroute-cache
no fair-queue
crypto map test_map1
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.50.1
access-list 101 permit tcp 192.168.130.0 0.0.0.255 192.168.0.0 0.0.127.255
dialer-list 1 protocol ip permit
!
The show crypto isakmp policy Command
The following is an example of the output from the show crypto isakmp policy command, which can be used to view all
existing IKE policies. Notice the default parameters are displays at the bottom
of the output.
Rtr1#show crypto isakmp policy
Protection suite of priority 100
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 43200 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Rtr1#
The show crypto map Command
The show crypto map command is useful for
displaying any previously configured crypto maps. If possible, these can be used
to save configuration time, but they can interfere with the new IPSec
policy.
Rtr1#show crypto map
Crypto Map "testmap" 50 ipsec-isakmp
Description: VPN Link to branch office in Tacoma, WA
Peer = 10.0.50.2
Extended IP access list 125
access-list 125 permit tcp 192.168.0.0 0.0.127.255 192.168.130.0
0.0.0.255
Current peer: 10.0.50.2
Security association lifetime: 2300000 kilobytes/1800 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={ CPU-HOG, }
Interfaces using crypto map testmap:
Serial0
Rtr1#
The show crypto ipsec transform-set Command
The show crypto ipsec transform-set
command can be used to view previously configured transform sets. Whenever
possible, these transforms can, and should, be used to save configuration
time. Rtr1# show crypto ipsec transform-set
Transform set MD5-DES: { esp-des esp-md5-hmac }
will negotiate = { Tunnel, },
Transform set DES-ONLY: { esp-des }
will negotiate = { Tunnel, },
Transform set CPU-HOG: { ah-md5-hmac }
will negotiate = { Tunnel, },
{ esp-des esp-md5-hmac }
will negotiate = { Tunnel, },
Transform set AH-ONLY: { ah-sha-hmac }
will negotiate = { Tunnel, },
Rtr1#
433 times read
|
|
|
Did you enjoy this article?
(total 0 votes)
|
Sections
Comments (0 posted)
Syndication
