Step 2-2 Create IKE Policies
Now, it’s time to define a suite of ISAKMP (IKE) policy
details gathered during the planning task, Task 1, Step 2 (repeated in the
following with defaults in italics). The goal is to create a suite of IKE
policies, so you can establish IKE peering between two IPSec endpoints.
Using the scenario example, Rtr2 only needing to connect to Rtr1,
might be configured with only the preferred (most secure) set of parameters
because that set will also be on Rtr1. On the other hand, Rtr1, needing to peer
with various devices both domestically and internationally, might need multiple
policies to accommodate the different peers. The trick is to configure the
policies, so the preferred policy is evaluated by the peer first, and then the
second and third choices. This ensures the agreed policy is always the highest
mutually agreeable choice.
The crypto isakmp policy Command
Use the global crypto isakmp policy
command to define an IKE policy containing a set of parameters used during IKE
negotiation. Use the no form of this command to delete an IKE policy. The
command syntax and an example follow.
Rtr1(config)#[no] crypto isakmp policy priority
Rtr1(config)#crypto
isakmp policy 100 Rtr1(config-isakmp)#
This command invokes the ISAKMP policy configuration
(config-isakmp) mode, which allows the six IKE parameters to be defined. The no
form of each parameter removes that setting. Exit is used to end the session and
any undefined parameters use the default values. The actual choices ware based
on the table made in Task 1, Step 2. The following shows the syntax for each
parameter, followed by the entries for the preferred policy.
Rtr1#conf t
Rtr1(config)#crypto isakmp policy 100
Rtr1(config-isakmp)#authentication {pre-share | rsa-encr | rsa-sig}
Rtr1(config-isakmp)#encryption {des | 3des} (depending on feature set)
Rtr1(config-isakmp)#hash {md5 | sha}
Rtr1(config-isakmp)#group {1 | 2}
Rtr1(config-isakmp)#lifetime <60 to 86400 seconds>
Rtr1(config)#crypto isakmp policy 100
Rtr1(config-isakmp)#authentication pre-share
Rtr1(config-isakmp)#encryption 3des
Rtr1(config-isakmp)#hash sha
Rtr1(config-isakmp)#group 2
Rtr1(config-isakmp)#lifetime 43200
Rtr1(config-isakmp)#exit
Because the preferred policy was assigned 100 as a priority, the
second and third choices must be progressively larger to control the order in
which they’re offered to a peer. A possible choice might be 200 and 300,
respectively, enabling newer policies to be assigned priorities that would allow
them to be prioritized according to changes in the company security policy.
Using 1, 2, and 3 might initially be easy to understand, but it could force
reconfiguring the devices if a new feature like AES encryption is
implemented.
The following shows the steps to configure the second and third
preference, taking advantage of default values to save configuration:
Rtr1#conf t
Rtr1(config)#crypto isakmp policy 200
Rtr1(config-isakmp)#authentication pre-share
Rtr1(config-isakmp)#group 2
Rtr1(config-isakmp)#lifetime 43200
Rtr1(config-isakmp)#crypto isakmp policy 300
Rtr1(config-isakmp)#authentication pre-share
Rtr1(config-isakmp)#hash md5
Rtr1(config-isakmp)#exit
Branch Office Configuration Implications
Assuming the chapter scenario, if each branch will only be
connecting VPNs to the main office, configuring only one of the IKE policies for
each branch should be necessary. Assuming the domestic branches can all support
3DES, policy 100 would seem appropriate. For any foreign branches that can’t use
3DES because of export restrictions, then policy 200 seems the likely candidate.
If any branch initiates a session with the main office, both peers would have
the same policy. The same is true for a session initiated by the main office to
any branch; even the foreign branches could accept the second policy
offered.
This whole discussion is based on using a single IKE policy
between peers for any encrypted traffic. If the security policy called for 3DES
for only certain types of traffic and DES for others, then configuring a second
policy on the remote peers would be necessary.
The show crypto isakmp policy Command
Use the show crypto isakmp policy command
to verify the entries, display the default policy, and confirm that the
nonconfigured parameters took on the default values.
Rtr1#show crypto isakmp policy
Protection suite of priority 100
encryption algorithm: 3DES - Triple DES (168 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 43200 seconds, no volume limit
Protection suite of priority 200
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 43200 seconds, no volume limit
Protection suite of priority 300
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Rtr1#
|
Note |
Although the output shows “no volume limit” for the
lifetimes, currently it is only possible to configure a time IKE lifetime (such
as 86,400 seconds); volume limit lifetimes aren’t used. |
Sections
Comments (0 posted)
Syndication
