The third task in configuring Cisco IOS IPSec is to configure the IKE
parameters. This section presents the steps used to configure IKE policies.
Configuring IKE consists of the following steps and commands
:
- Enable IKE with the crypto isakmp enable command, in
case it has been disabled from the default enable condition.
- Create IKE policies with the crypto isakmp policy
command.
- Set the IKE identity to address or hostname with the crypto isakmp
identity command.
- Test and verify the IKE configuration with the show crypto isakmp
policy and show crypto isakmp sa commands.
The crypto isakmp policy command invokes the ISAKMP
policy configuration command mode config-isakmp, which can be used to set
ISAKMP parameters
. If one
of these commands is not specified, the default value for that parameter is
used. While in the config-isakmp command mode, the keywords that are available
to specify the parameters in the policy are shown in Figure
.
Multiple
ISAKMP policies can be configured on each peer participating in IPSec. ISAKMP
peers negotiate acceptable ISAKMP policies before agreeing upon the SA to be
used for IPSec.