Skip to main content

IPsec ISAKMP Policy and Crypto map config

More
13 years 7 months ago #36729 by skylimit
Hi Guys,

I'm hoping someone could clarify this for me

I believe it is possible to have different crypto isakmp policies for different connections based on needs, different security parameters supported different devices, etc.

My question is how is a specific policy applied to a specifi peer? Sample config below should make my question a bit clearer I hope.

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
!

crypto isakmp policy 2
encr aes 256
authentication pre-share
lifetime 28800
!
!

The first policy clearly uses a different security parameter from the second one, thus if I needed to set up an IPsec connection using the first policy, how would apply/refer to it in the crypto map if this makes sense. Would it be something like:


!
!
crypto map TestMap 1 ipsec-isakmp --
set peer 1.1.1.1
set transform-set setname
match address 101
!
!

Does this use the first policy 1 above?


crypto map TestMap 2 ipsec-isakmp --
set peer 2.2.2.2
set transform-set setname
match address 101
!
!
Does this use the first policy 2 above?



Also, how can you check what one is being used? Which show crypto commands?
Any contributions will be much appreciated.

Thanks,
Skylimit

"...you are never too old to learn" anon
More
13 years 7 months ago #36753 by rizin
Hi,

There is something called Phase 1 and Phase 2 in VPN Connections. I will write some few mothods which normally followed however it may or may not varies with other individual devices.

Phase 1.

1. Specify Local VPN Gateway and Remote VPN Gateway.

2. Main mode or Aggresive mode
A) Main mode peers exchange identies with encryption.
B) Aggresive mode exchange identities without encryption but faster.

3. Specify Nat-Traversal.
A) Specify Need peers to use IKE Keep-alive - ensures if VPN Gateways's interface not responding it will failover to the second interface. This is true when ISP goes down and your secondary interface is backed up.

4. Transform set.
A)here choose encryption, authentication and how long security association(SA) last.
b)for authentication use Sha1 OR MD5. Sha 1 is the strongest authentication.
c) Specify Diffie-hellman key group.

Phase 2.

Using Quick mode establish IPSec SA.
1. specify IP Address, Network Address or IP Address range. which access to your internal network. either from home or office to access resources behind the VPN Gateway.

2. Choose to use PFS (Perfect forward secrecy)
3. Select ESP or AH and plus you use Diffie-hellman key group also here.
4. Specify a value when the key expire.

For your encrytion you can select DES, 3DES or AES 128, 192, 256 bit key strength. AES is the strongest protocol.

Regards,

Rizin

Known is a drop, unknown is an Ocean
Time to create page: 0.117 seconds