Configure a PIX Security Appliance Site-to-Site VPN using Pre-shared Keys
Task 2 – Configure IKE parameters

Configuring IKE consists of the steps shown in Figure .

Step 1 – Enable or disable IKE
Enable or disable IKE, or ISAKMP, negotiation with the isakmp enable interface-name command in global configuration mode . This command is used to specify the PIX Security Appliance interface on which the IPSec peer will communicate. IKE is enabled by default for all PIX interfaces. Use the no isakmp enable interface-name command to disable IKE on an individual interface.
Step 2 –Configure IKE phase 1 policy
Configure an IKE Phase 1 policy with the isakmp policy command to match expected IPSec peers, as shown in Figure , by completing the substeps shown in Figure .
NOTE:

The PIX Security Appliance has preset default values. If a default value is entered for a given policy parameter, it will not be written in the configuration. If a value is not specified for a given policy parameter, the default value is assigned. The configured and default values can be viewed with the show isakmp policy command.

Step 3 –Configure a tunnel group
A tunnel group is a set of records that contain tunnel connection policies. A tunnel group can be configured to identify AAA servers, specify connection parameters, and define a default group policy. The PIX Security Appliance stores tunnel groups internally. There are two default tunnel groups on the PIX. These are DefaultRAGroup, which is the default IPSec remote-access tunnel group, and DefaultL2Lgroup, which is the default IPSec LAN-to-LAN tunnel group. These groups can be changed but not deleted. The PIX uses these groups to configure default tunnel parameters for remote access and LAN-to-LAN tunnel groups when there is no specific tunnel group identified during tunnel negotiation. To establish a basic LAN-to-LAN connection, the connection type must be set to IPSec LAN-to-LAN, and an authentication method must be configured, for example, pre-shared key.
Use the tunnel-group name type type global configuration command to configure a tunnel group .
Step 4 – Configure tunnel group attributes – pre-shared key
Configure the tunnel group pre-shared key attributes with the tunnel-group name ipsec-attributes command . The name variable specifies the name of the tunnel group.
The tunnel-group command includes the variations shown in Figure . Each of these commands puts the administrator in a configuration mode for configuring the attributes at the level of the configuration mode.
The pre-shared-key key command specifies a pre-shared key to support IKE connections based on pre-shared keys. The key variable specifies an alphanumeric key between 1 and 127 characters.
Step 5 – Verify IKE phase 1 policies
The show run crypto isakmp command displays configured and default policies, as shown in Figure . The show run crypto isakmp command displays configured policies much as they would appear with the write terminal command.
The show run tunnel-group command displays tunnel group information about all or a specified tunnel group and tunnel group attributes.

Lab Activity

e-Lab Activity: Enable/Disable IKE on a PIX Security Appliance Interface

In this activity, the student will demonstrate how to enable/disable IKE on the PIX Security Appliance.

Lab Activity

e-Lab Activity: Configure an ISAKMP Policy on a PIX Security Appliance

In this activity, the student will configure an ISAKMP policy on the PIX Security Appliance.

Lab Activity

e-Lab Activity: Define a Tunnel Group on a PIX Security Appliance

In this activity, the student will configure a tunnel group on the PIX Security Appliance.

Interactive Media Activity

Demonstration Activity: Enable or Disable IKE

In this activity, students will learn how to configure IKE.