Chapter 4 Configuring the ISA and ISM
Configuring IPSec
Later, you will associate the crypto access lists to particular interfaces when you configure and apply crypto map sets to the interfaces (following instructions in the section “Creating Crypto Maps” section on page
Note IKE uses UDP port 500. The IPSec Encapsulation Security Protocol (ESP) and Authentication Header (AH) protocols use protocol numbers 50 and 51. Ensure that your interface access lists are configured so that protocol numbers 50, 51, and UDP port 500 traffic are not blocked at interfaces used by IPSec. In some cases you might need to add a statement to your access lists to explicitly permit this traffic.
To create crypto access lists, use the following commands in global configuration mode:
Step | Command | Purpose |
|
|
|
1. | Specify conditions to determine which IP | |
| permit} protocol source | packets are protected.1 (Enable or disable |
| destination | encryption for traffic that matches these |
| or | conditions.) |
|
| |
| ip | We recommend that you configure “mirror |
| image” crypto access lists for use by IPSec | |
|
| |
|
| and that you avoid using the any keyword. |
|
|
|
2. | Add permit and deny statements as |
|
| appropriate. |
|
|
|
|
3. | end | Exit the configuration command mode. |
|
|
|
1.You specify conditions using an IP access list designated by either a number or a name. The
For detailed information on configuring access lists, refer to the “Configuring IPSec Network Security” chapter in the Security Configuration Guide publication. This chapter contains information on the following topics:
•Crypto Access List Tips
•Defining Mirror Image Crypto Access Lists at Each IPSec Peer
•Using the any Keyword in Crypto Access Lists
Defining a Transform Set
A transform set represents a certain combination of security protocols and algorithms. During the IPSec security association negotiation, the peers agree to use a particular transform set for protecting a particular data flow.
You can specify multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec security association negotiation to protect the data flows specified by that crypto map entry’s access list.
During IPSec security association negotiations with IKE, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and is applied to the protected traffic as part of both peers’ IPSec security associations.
With manually established security associations, there is no negotiation with the peer, so both sides must specify the same transform set.
Integrated Services Adapter and Integrated Services Module Installation and Configuration
|
| ||
|
|
