Configure a PIX Security Appliance Site-to-Site VPN using Pre-shared Keys
Task 3 – Configure IPSec parameters
The tasks and commands used to configure IPSec encryption on the PIX
Security Appliance are summarized in Figure
.
Step 1 –Configure interesting traffic Crypto ACLs perform the same function
on the PIX Security Appliance and an IOS router. Crypto ACLs are used to define
which IP traffic is interesting and will be protected by IPSec, and which
traffic will not be protected by IPSec
.
Remember that it is recommended to avoid using the any
keyword to specify source or destination addresses.
Use
the show run access-list command to display currently
configured ACLs. Figure
contains an
example ACL for each of the peer PIX Security Appliances. In the fw1 ACL, the
source network is 10.0.1.0 and the destination network is 10.0.6.0. In the fw6
ACL, the source network is 10.0.6.0 and the destination address is 10.0.1.0.
The ACLs are symmetrical.
The nat 0
command instructs the PIX Security Appliance not to use NAT for any traffic
deemed interesting traffic for IPSec. In Figure
, traffic
matching access-list 101, traffic from 10.0.1.0/24 to 10.0.6.0/24, is exempt
from NAT.
Step 2 – Configure an IPSec transform
set Transforms define the IPSec security protocols and algorithms
. Each transform
represents an IPSec security protocol, ESP, AH, or both, plus the algorithm to
be used.
Multiple transform sets can be specified, and
then one or more of these transform sets can be specified in a crypto map
entry. The transform set defined in the crypto map entry will be used in the
IPSec SA negotiation to protect the data flows specified by the ACL of that
crypto map entry.
During the IPSec SA negotiation, the
peers agree to use a particular transform set for protecting a particular data
flow.
A transform set equals an AH transform and an ESP
transform plus the mode, either transport mode or tunnel mode. Transform sets
are limited to one AH and two ESP transforms. The default mode is tunnel. Be
sure to configure matching transform sets between IPSec peers.
NOTE:
In PIX Security Appliance versions 6.0 and higher, Layer 2 Tunneling
Protocol (L2TP) is the only protocol that can use the IPSec transport mode. The
PIX discards all other types of packets using IPSec transport mode.
The PIX Security Appliance supports the transforms listed in
Figure
.
Choosing IPSec transforms combinations can be complex. The tips
shown in Figure
may help to
select appropriate transforms.
Step 3 –Configure the crypto map The syntax for the crypto
map command is shown in Figure
. Configure the
crypto map with the crypto map command by completing the
substeps shown in Figure
.
Step 4– Apply the crypto map to an
interface Apply the crypto map to an interface with the crypto
map map-name interface interface-name command
. This activates
the IPSec policy.
Use the show run crypto
map command to verify the crypto map configuration. Consider the
example of a crypto map for the PIX Security Appliance with the name fw1 in
Figure
.