It is important to plan IPSec details in advance to minimize
configuration errors. The IPSec security policy should be defined based on the
overall company security policy. Some planning steps are as follows
:
Step 1 –Determine IKE phase one policy. Determine the IKE policies
between IPSec peers based on the number and location of the peers
. Some
planning steps include the following:
- Determine the key distribution method
- Determine the authentication method
- Identify IPSec peer IP addresses and host names
- Determine ISAKMP policies for peers
Step 2 – Determine IKE phase two policy
. Identify IPSec
peer details such as IP addresses, IPSec transform sets, and IPSec modes
,
. Crypto maps
will be used to gather all IPSec policy details together during the
configuration phase
.
Step
3 – Check the current configuration
. Use the
show running-configuration, show isakmp
[policy], and show crypto map commands. Other
show commands can be used to check the current
configuration of the router. This is covered later in this module.
Step 4 – Ensure that the network works without encryption. This step
should not be avoided. Ensure that basic connectivity has been achieved between
IPSec peers using the desired IP services before configuring IPSec. Use the
ping command to check basic connectivity.
Step
5 – Ensure that the ACLs on perimeter devices are compatible with IPSec.
Ensure that perimeter routers and the IPSec peer router interfaces permit IPSec
traffic. Use the show access-lists command for this
step.