Patton electronic SmartNode 4110 Series manual Creating an Isakmp Ipsec policy profile

SmartWare Software Configuration Guide

32 • VPN configuration

Step

Command

Purpose

1

node(cfg)# profile ipsec-policy-

Create the policy profile with the specified name

isakmp <name>

and enter its configuration mode.

2

node(pf- ipsik)[<name>]# authentica-

Define the pre-shared key, which sould be used

tion-method pre-shared-key <key>

to authenticate the peers. The key can be a char-

acter string of any length.

3

node(pf- ipsik)[<name>]# diffie-hell-

Define the diffie-hellman group to be used.

man-group {group1group2group5}

Note: The higher the group number is, the

higher is the key length during the diffie-hellman

exchange and the higher is the processing time

for the establishment of the shared secret. Espe-

cially Group 5 requires a considerable amount

of time for processing. You should not use this

group in time critical applications unless you

know that the tunnel will always be established.)

4

node(pf- ipsik)[<name>]# use profile

Define one or more ISAKMP transform profiles to

isakmp-transform <name>

be used by this policy. If more than one is

defined, IKE will negotiate a transform set, which

is supported by both peers.

5

node(pf- ipsik)[<name>]# use profile

Define one or more IPSEC transform profiles to

ipsec-transform <name>

be used by this policy. If more than one is

defined, IKE will negotiate a transform set, which

is supported by both peers.

6

node(pf- ipsik)[<name>]# mode

Define the IPSEC encapsulation mode to be used

transporttunnel

by this policy.

7

node(pf- ipsik)[<name>]# peer <ip or

Optionally define the peer, for which this policy

(optional)

FQDN>

should be used. Do not specify a peer, if this pol-

icy shall be used for multiple peers in transport

mode. The peer can either be an IP address or a

fully qualified domain name.

Key management (IKE)

372