Configure a PIX Security Appliance Site-to-Site VPN using Pre-shared Keys
Task 2 – Configure IKE parameters
Configuring IKE consists of the steps shown in Figure
.
Step 1 – Enable or disable IKE Enable or disable IKE, or
ISAKMP, negotiation with the isakmp enable interface-name
command in global configuration mode
. This
command is used to specify the PIX Security Appliance interface on which the
IPSec peer will communicate. IKE is enabled by default for all PIX interfaces.
Use the no isakmp enable interface-name command to
disable IKE on an individual interface.
Step 2 –Configure IKE phase 1 policy Configure an IKE Phase 1 policy with
the isakmp policy command to match expected IPSec peers, as
shown in Figure
, by completing
the substeps shown in Figure
.
NOTE:
The PIX Security Appliance has preset default values. If a default
value is entered for a given policy parameter, it will not be written in the
configuration. If a value is not specified for a given policy parameter, the
default value is assigned. The configured and default values can be viewed with
the show isakmp policy command.
Step 3 –Configure a tunnel group A tunnel group
is a set of records that contain tunnel connection policies. A tunnel group can
be configured to identify AAA servers, specify connection parameters, and
define a default group policy. The PIX Security Appliance stores tunnel groups
internally. There are two default tunnel groups on the PIX. These are
DefaultRAGroup, which is the default IPSec remote-access tunnel group, and
DefaultL2Lgroup, which is the default IPSec LAN-to-LAN tunnel group. These
groups can be changed but not deleted. The PIX uses these groups to configure
default tunnel parameters for remote access and LAN-to-LAN tunnel groups when
there is no specific tunnel group identified during tunnel negotiation. To
establish a basic LAN-to-LAN connection, the connection type must be set to
IPSec LAN-to-LAN, and an authentication method must be configured, for example,
pre-shared key.
Use the tunnel-group
name type type global configuration command to
configure a tunnel group
.
Step 4 – Configure tunnel group attributes – pre-shared
key Configure the tunnel group pre-shared key attributes with the
tunnel-group name ipsec-attributes command
. The name
variable specifies the name of the tunnel group.
The
tunnel-group command includes the variations shown in
Figure
. Each of these
commands puts the administrator in a configuration mode for configuring the
attributes at the level of the configuration mode.
The
pre-shared-key key command specifies a pre-shared
key to support IKE connections based on pre-shared keys. The key
variable specifies an alphanumeric key between 1 and 127
characters.
Step 5 – Verify IKE phase 1
policies The show run crypto isakmp command
displays configured and default policies, as shown in Figure
. The
show run crypto isakmp command displays configured policies
much as they would appear with the write terminal
command.
The show run tunnel-group
command displays tunnel group information about all or a specified tunnel group
and tunnel group attributes.