Cisco Systems 520 series Configure the IKE Policy

6-3

Cisco Secure Router 520 Series Software Configuration Guide

OL-14210-01

Chapter 6 Configuring a VPN Using Easy VPN and an IPsec Tunnel

Configure the IKE Policy

Note The procedures in this chapter assume that you have already configured basic router features as well as

PPPoE or PPPoA with NAT, DCHP and VLANs. If you have not performed these configurations tasks,

see Chapter 1, “Basic Router Configuration,” Chapter 3, “Configuring PPP over Ethernet with NAT,”

Chapter 4, “Configuring PPP over ATM with NAT,” and Chapter 5, “Configuring a LAN with DHCP and

VLANs” as appropriate for your router.

Note The examples shown in this chapter refer only to the endpoint configuration on the

Cisco Secure Router 520 Series router. Any VPN connection requires both endpoints be configured

properly to function. See the software configuration documentation as needed to configure VPN for

other router models.

Configure the IKE Policy

Perform these steps to configure the Internet Key Exchange (IKE) policy, beginning in global

configuration mode:

Command or Action Purpose

Step 1 crypto isakmp policy priority

Example:

Router(config)# crypto isakmp policy 1

Router(config-isakmp)#

Creates an IKE policy that is used during IKE

negotiation. The priority is a number from 1 to

10000, with 1 being the highest.

Also enters the Internet Security Association Key

and Management Protocol (ISAKMP) policy

configuration mode.

Step 2 encryption {des | 3des | aes | aes 192 | aes 256}

Example:

Router(config-isakmp)# encryption 3des

Router(config-isakmp)#

Specifies the encryption algorithm used in the IKE

policy.

The example specifies 168-bit data encryption

standard (DES).

Step 3 hash {md5 | sha}

Example:

Router(config-isakmp)# hash md5

Router(config-isakmp)#

Specifies the hash algorithm used in the IKE

policy.

The example specifies the Message Digest 5

(MD5) algorithm. The default is Secure Hash

standard (SHA-1).

Step 4 authentication {rsa-sig | rsa-encr | pre-share}

Example:

Router(config-isakmp)# authentication

pre-share

Router(config-isakmp)#

Specifies the authentication method used in the

IKE policy.

The example specifies a pre-shared key.

Contents

Main Page CONTENTS Page Page Page Page Page Preface Objective Audience Organization Conventions xii xiii xiv Page Related Documentation Obtaining Documentation and Submitting a Service Request Page Page Page Basic Router Configuration Viewing the Default Configuration Information Needed for Customizing the Default Parameters Interface Port Labels Configuring Basic Parameters Configure Global Parameters Configure Fast Ethernet LAN Interfaces Configure WAN Interfaces Configure the Fast Ethernet WAN Interface Configure the ATM WAN Interface Configure the Wireless Interface Configuring a Loopback Interface Verifying Your Configuration Configuring Command-Line Access to the Router Page Configuring Static Routes Configuration Example Configuring Dynamic Routes Configuring RIP Verifying Your Configuration Page Page Sample Network Deployments Page Configuring PPP over Ethernet with NAT Configure the Virtual Private Dialup Network Group Number Configure the Fast Ethernet WAN Interfaces Configure the Dialer Interface Configure Network Address Translation Page Page 3-8 command. 3-9 Page Configuring PPP over ATM with NAT Configure the Dialer Interface Page Page Configure the ATM WAN Interface Configure DSL Signaling Protocol Configuring ADSL Verify the Configuration Configure Network Address Translation Page Page 4-10 Configuring a LAN with DHCP and VLANs Configure DHCP Page 5-4 Configuration Example Verify Your DHCP Configuration Use the following commands to view your DHCP configuration. pools, bindings, and so forth. Configure VLANs Assign a Switch Port to a VLAN Verify Your VLAN Configuration 5-7 5-8 Configuring a VPN Using Easy VPN and an IPsec Tunnel Page Configure the IKE Policy Configure Group Policy Information Apply Mode Configuration to the Crypto Map Enable Policy Lookup Configure IPsec Transforms and Protocols Configure the IPsec Crypto Method and Parameters Apply the Crypto Map to the Physical Interface Create an Easy VPN Remote Configuration Verifying Your Easy VPN Configuration 6-11 Page Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation Configure a VPN Configure the IKE Policy Configure Group Policy Information Enable Policy Lookup Configure IPsec Transforms and Protocols Configure the IPsec Crypto Method and Parameters Apply the Crypto Map to the Physical Interface Configure a GRE Tunnel Page 7-10 7-11 Page Configuring a Simple Firewall 7 5 6 Configure Access Lists Configure Inspection Rules Apply Access Lists and Inspection Rules to Interfaces Page 8-6 Configuring a Wireless LAN Connection Configure the Root Radio Station Page Configure Bridging on VLANs Configure Radio Station Subinterfaces Page 9-7 9-8 Page Page Additional Configuration Options Page Configuring Security Features Authentication, Authorization, and Accounting Configuring AutoSecure Configuring Access Lists Access Groups Guidelines for Creating Access Groups Configuring a CBAC Firewall Configuring Cisco IOS Firewall IDS Configuring VPNs Troubleshooting Getting Started Before Contacting Cisco or Your Reseller ADSL Troubleshooting ATM Troubleshooting Commands ping atm interface Command 12-3 This command sends end-to-end OAM F5 packets, which are echoed back by the aggregator. show interface Command Example 12-2 Viewing Status of Selected Interfaces Page show atm interface Command debug atm Commands Guidelines for Using Debug Commands debug atm errors Command debug atm events Command debug atm packet Command Software Upgrade Methods Recovering a Lost Password Change the Configuration Register Reset the Router Reset the Password and Save Your Changes Reset the Configuration Register Value Page Page Page A Cisco IOS Software Basic Skills Configuring the Router from a PC Understanding Command Modes Page Getting Help Enable Secret Passwords and Enable Passwords Entering Global Configuration Mode Using Commands Abbreviating Commands Undoing Commands Command-Line Error Messages Saving Configuration Changes Summary Where to Go Next Page B Concepts ADSL Network Protocols IP Routing Protocol Options RIP PPP Authentication Protocols PAP CHAP TACACS+ Network Interfaces Ethernet ATM for DSL PVC NAT Easy IP (Phase 1) Easy IP (Phase 2) QoS IP Precedence PPP Fragmentation and Interleaving CBWFQ RSVP Low Latency Queuing Access Lists Page C ROM Monitor Entering the ROM Monitor ROM Monitor Commands Command Descriptions Disaster Recovery with TFTP Download TFTP Download Command Variables Required Variables Optional Variables Using the TFTP Download Command Configuration Register Changing the Configuration Register Manually Changing the Configuration Register Using Prompts Console Download Command Description Error Reporting Debug Commands Exiting the ROM Monitor Page D Common Port Assignments Page INDEX Symbols A B Page D E F G H I M N O P Q R S T U V W X