Cisco Systems SM-ISM, SA-ISA manual Configuring IKE, Identify the policy to create, and enter

Page 39

Chapter 4 Configuring the ISA and ISM

Configuring IKE

Use the ppp encrypt mppe{auto 40 128} [passive required] [stateful] command in interface configuration mode to enable MPPE on the virtual template.

Configuring IKE

IKE is enabled by default. IKE does not have to be enabled for individual interfaces but is enabled globally for all interfaces at the router. You must create IKE policies at each peer. An IKE policy defines a combination of security parameters to be used during the IKE negotiation.

You can create multiple IKE policies, each with a different combination of parameter values. If you do not configure any IKE policies, the router uses the default policy, which is always set to the lowest priority, and which contains each parameter’s default value.

For each policy that you create, you assign a unique priority (1 through 10,000, with 1 being the highest priority). You can configure multiple policies on each peer—but at least one of these policies must contain exactly the same encryption, hash, authentication, and Diffie-Hellman parameter values as one of the policies on the remote peer.

If you do not specify a value for a parameter, the default value is assigned. For information on default values, refer to the “IP Security and Encryption” chapter of the Security Command Reference publication.

Note The default policy and the default values for configured policies do not show up in the configuration when you issue a show running-config EXEC command. Instead, to see the default policy and any default values within configured policies, use the show crypto isakmp policy EXEC command.

To configure a policy, use the following commands, starting in global configuration mode:

Step

Command

Purpose

 

 

 

1.

crypto isakmp policy priority

Identify the policy to create, and enter

 

 

config-isakmp command mode.

 

 

 

1.

encryption {des 3des}

Specify the encryption algorithm.

 

 

 

1.

group {1 2}

Specify the Diffie-Hellman group identifier.

 

 

 

For detailed information on creating IKE policies, refer to the “Configuring Internet Key Exchange Security Protocol” chapter in the Security Configuration Guide publication. This chapter contains information on the following topics:

Why Do You Need to Create These Policies?

What Parameters Do You Define in a Policy?

How Do IKE Peers Agree upon a Matching Policy?

Which Value Should You Select for Each Parameter?

Creating Policies

Additional Configuration Required for IKE Policies

Integrated Services Adapter and Integrated Services Module Installation and Configuration

 

OL-3575-01 B0

4-3

 

 

 

Page 38 Page 40
Image 39
Page 38 Page 40
Contents Text Part Number OL-3575-01 B0 Corporate HeadquartersCopyright 1999- 2003 Cisco Systems, Inc All rights reserved N T E N T S Configuring the ISA and ISM Objectives PrefaceAudience Installation WarningBoldface font Document OrganizationDocument Conventions Section Title DescriptionIndicates a comment line Italic screen fontVii Terms and AcronymsViii Related DocumentationCisco 7100 series routers Cisco.com Obtaining DocumentationDocumentation CD-ROM Ordering DocumentationDocumentation Feedback Technical Assistance Center Obtaining Technical AssistanceCisco TAC Escalation Center Obtaining Additional Publications and InformationXiv ISA and ISM Overview OverviewData Encryption Overview Feature Description FeaturesCisco 7100 Series Routers Slot Numbering Port Adapter Slot Locations on the Supported PlatformsPort adapter in slot ISM in slot Cisco 7200 Series Routers Slot NumberingLEDs LEDsLED Label Color State Function BootOL-3575-01 B0 Required Tools and Equipment Preparing for InstallationPlatform Recommended Minimum Cisco IOS Release ISA and ISA ISA with VAM Safety GuidelinesSafety Warnings Encryption mppe commandPreparing for Installation Safety Guidelines Preventing Electrostatic Discharge Damage Electrical Equipment GuidelinesOL-3575-01 B0 Handling the ISA or the ISM Removing and Installing the ISA and the ISMHandling the ISM Online Insertion and RemovalRemoving and Installing the ISA and the ISM ISA or ISM Removal and Installation Step Cisco 7100 Series-Removing and Installing the ISMGuide Cisco 7200 Series-Removing and Installing the ISAOverview Configuring the ISA and ISMEnabling Mppe Using the Exec Command InterpreterEnter controller configuration mode on Enables Mppe encryptionSpecify the encryption algorithm Configuring IKEConfig-isakmp command mode Identify the policy to create, and enterCreating Crypto Access Lists Configuring IPSecDefining a Transform Set Step Command Purpose Creating Crypto Maps Exit crypto map configuration mode Crypto map configuration modeSpecify an extended access list. This Access list determines which traffic isApply a crypto map set to an interface Verifying ConfigurationExit interface configuration mode Applying Crypto Maps to InterfacesCommand Purpose Router# show crypto ipsec sa interface Ethernet0 IPSec Example Configuring the ISA and ISM IPSec ExampleRouter B Configuration OL-3575-01 B0 D E IN-2
Top Page Image Contents