Successful implementation of an IPSec network using digital certificates for
authentication requires advance planning before beginning configuration of
individual routers. In task 1, define the IPSec security policy based on the
overall company security policy. Some planning steps follow.
Step 1 and
Step 2 are covered in detail in this module. The other steps shown in Figure
and listed below are presented for review purposes. These steps are the same
for site-to-site VPN configurations using either pre-shared keys or digital
certificates.
Step 1 Plan for CA support – Determine the CA server
details. This includes variables such as the type of CA server to be used, the
IP address, and the CA administrator contact information.
Step 2 Determine the ISAKMP (IKE phase one) policy –
Determine the IKE policies between IPSec peers based on the number and location
of the peers.
Step 3 Determine the IPSec (IKE phase
two) policy – Identify IPSec peer details such as IP addresses and IPSec
modes. Then configure crypto maps to gather all IPSec policy details
together.
Step 4 Check the current configuration
– Use the show run, show crypto isakmp
policy, and show crypto map commands, as well as
the many other show commands that are covered later in this
module.
Step 5 Ensure the network works without
encryption – Ensure that testing basic connectivity has been achieved
between IPSec peers using the desired IP services before configuring IPSec. The
ping command can be used to check basic
connectivity.
Step 6 Ensure that access lists are
compatible with IPSec – Ensure that perimeter routers and the IPSec peer
router interfaces permit IPSec traffic. Use the show
access-lists command to view the existing ACLs.