Configuring IPSec encryption can be complicated. Planning in advance of the
actual configuration helps the administrator to configure IPSec encryption
correctly the first time and minimize configuration errors. This task should be
started by defining the overall security needs and strategy based on the
overall company security policy. Some planning steps include the following:
Step 1 Determine the IKE (IKE Phase 1) policy.
Determine
the IKE policies between peers based on the number and location of IPSec
peers.
Step 2 Determine the IPSec (IKE Phase 2)
policy.
Identify IPSec peer details such as IP addresses and IPSec modes.
Determine the IPSec policies applied to the encrypted data passing between
peers.
Step 3 Ensure that the network works
without encryption.
Ensure that basic connectivity has been achieved
between IPSec peers using the desired IP services before configuring firewall
appliance IPSec.
Step 4 Implicitly permit IPSec
packets to bypass PIX Secuity Appliance ACLs and access groups.
This can be
done with the sysopt connection permit-ipsec
command.