Task 1: Prepare to configure VPN support.
Task 2: Configure IKE parameters.
Task 3: Configure IPSec parameters.
Task 4: Test and verify VPN configuration.
Task 1: Prepare for IKE and IPSec
Step 1: Determine the IKE (IKE Phase 1) policy.
Step 2: Determine the IPSec (IKE Phase 2) policy.
Step 3: Ensure that the network works
without encryption.
Step 4: (Optional) Implicitly permit IPSec packets to bypass security appliance ACLs and access groups.
Determine IKE Phase 1 Policy
Determine IPSec (IKE Phase 2) Policy
Task 2: Configure IKE
Step 1: Enable or disable IKE.
Step 2: Configure IKE Phase 1 policy.
Step 3: Configure a tunnel group.
Step 4: Configure the tunnel group attributes
pre-shared key.
Step 5: Verify IKE Phase 1 policy.
Enable or Disable IKE
Configure IKE Phase 1 Policy
Configure a Tunnel Group
Configure Tunnel Group Attributes Pre-Shared Key
Verify IKE Phase 1 Policy
Task 3: Configure IPSec
Step 1: Configure interesting traffic: NAT 0 and ACL.
– access-list 101 permit
– nat 0
Step 2: Configure IPSec transform set suites.
– crypto ipsec transform-set
Step 3: Configure the crypto map.
– crypto map
Step 4: Apply the crypto map.
– crypto map map-name interface
interface-name
Configure Interesting Traffic
Example: Crypto ACLs
Configure Interesting Traffic: NAT 0
Configure an IPSec Transform Set
Available IPSec Transforms
Configure the Crypto Map
Apply the Crypto Map to an Interface
Example: Crypto Map for Security Appliance 1
Example: Crypto Map for Security Appliance 6
Task 4: Test and Verify VPN Configuration
Verify ACLs and interesting traffic.
– show run access-list
Verify correct IKE configuration.
– show run isakmp
– show run tunnel-group
Verify correct IPSec configuration.
– show run ipsec
Verify correct crypto map configuration.
– show run crypto map
Clear IPSec SA.
– clear crypto ipsec sa
Clear IKE SA.
– clear crypto isakmp sa
Debug IKE and IPSec traffic through the security appliance.
– debug crypto ipsec
– debug crypto isakmp
– show run access-list
Verify correct IKE configuration.
– show run isakmp
– show run tunnel-group
Verify correct IPSec configuration.
– show run ipsec
Verify correct crypto map configuration.
– show run crypto map
Clear IPSec SA.
– clear crypto ipsec sa
Clear IKE SA.
– clear crypto isakmp sa
Debug IKE and IPSec traffic through the security appliance.
– debug crypto ipsec
– debug crypto isakmp
No comments:
Post a Comment