Configure an IOS Router Site-to-Site VPN Using Digital Certificates
Task 1 – prepare for IKE and IPSec

Successful implementation of an IPSec network using digital certificates for authentication requires advance planning before beginning configuration of individual routers. In task 1, define the IPSec security policy based on the overall company security policy. Some planning steps follow.

Step 1 and Step 2 are covered in detail in this module. The other steps shown in Figure and listed below are presented for review purposes. These steps are the same for site-to-site VPN configurations using either pre-shared keys or digital certificates.

Step 1 Plan for CA support – Determine the CA server details. This includes variables such as the type of CA server to be used, the IP address, and the CA administrator contact information.
Step 2 Determine the ISAKMP (IKE phase one) policy – Determine the IKE policies between IPSec peers based on the number and location of the peers.
Step 3 Determine the IPSec (IKE phase two) policy – Identify IPSec peer details such as IP addresses and IPSec modes. Then configure crypto maps to gather all IPSec policy details together.
Step 4 Check the current configuration – Use the show run, show crypto isakmp policy, and show crypto map commands, as well as the many other show commands that are covered later in this module.
Step 5 Ensure the network works without encryption – Ensure that testing basic connectivity has been achieved between IPSec peers using the desired IP services before configuring IPSec. The ping command can be used to check basic connectivity.
Step 6 Ensure that access lists are compatible with IPSec – Ensure that perimeter routers and the IPSec peer router interfaces permit IPSec traffic. Use the show access-lists command to view the existing ACLs.