Cisco Systems UBR924

3-12

CiscouBR924 Software Configuration Guide

OL-0337-05 (8/2002)

Chapter3 Advanced Data-Only Configurations

IPSec (56-bit) Example

The configuration of the CiscouBR924 router for IPSec encryption depends on the application involved,

such as whether the IPSec encryption is part of a virtual private network (VPN) and whether the

Cisco uBR924 router should encrypt traffic to one or more than one peer end-point. A technique that

would work well for a small network might not scale well for a large network—for example, using

pre-shared authentication keys works for networks of up to 10 or so nodes, but la rger networks should

use RSA public key signatures and digital certificates.

Note For more information about IPSec, as well as related topics such as Internet Key Exchange (IKE),

Internet Security Association Key Management Protocol/Oakley variation (ISAKMP/Oakley), and

digital certificates, see the “Additional Documentation” section on page3- 15.

The following shows the commands needed to configure the CiscouBR924 router for IPSec encryption

with one peer router, using pre-shared keys.

Command Purpose

Step1 uBR924(config)# crypto isakmp enable Enable the use of ISAKMP/IKE on the

Cisco uBR924 router.

Step2 uBR924(config)# crypto isakmp policy priority-number Creates an IKE policy with the specified

priority-number (1–10000, where 1 is the highest

priority) and enters ISAKMP policy configuration

command mode.

Step3 uBR924(config-isakmp)# encryption des Specifies that 56-bit DES encryption be used. to

encrypt the data.

Step4 uBR924(config-isakmp)# hash md5 Specifies the MD5 (HMAC variant) hash algorithm

for packet authentication.

Step5 ubr924(config-isakmp)# group 1 Specifies the 768-bit Diffie-Hellman group for key

negotiation.

Step6 uBR924(config-isakmp)# authentication pre-share Specifies that the authentication keys are pre-shared,

as opposed to dynamically negotiated using RSA

public key signatures.

Step7 uBR924(config-isakmp)# lifetime seconds Defines how long each security association should

exist before expiring (60 seconds to 86,400

seconds).

Step8 uBR924(config-isakmp)# exit Exits ISAKMP policy configuration command

mode.

Step9 uBR924(config)# crypto isakmp key shared-key address

ip-address

Specifies the pre-shared key that should be used

with the peer at the specific IP address. The key can

be any arbitrary alphanumeric key up to 128

characters long—the key is case-sensitive and must

be entered identically on both routers.

Note You can also specify a pre-shared key using

the crypto key public-chain dss command.

See the description of this command in the

Cisco Encryption Technology Commands

document, available on CCO and the

Documentation CD-ROM.