Prepare a Router for Site-to-Site VPN using Pre-shared Keys
Planning the IKE and IPSec policy

It is important to plan IPSec details in advance to minimize configuration errors. The IPSec security policy should be defined based on the overall company security policy. Some planning steps are as follows :

Step 1 –Determine IKE phase one policy. Determine the IKE policies between IPSec peers based on the number and location of the peers . Some planning steps include the following:

  • Determine the key distribution method
  • Determine the authentication method
  • Identify IPSec peer IP addresses and host names
  • Determine ISAKMP policies for peers

Step 2 – Determine IKE phase two policy . Identify IPSec peer details such as IP addresses, IPSec transform sets, and IPSec modes , . Crypto maps will be used to gather all IPSec policy details together during the configuration phase .

Step 3 – Check the current configuration . Use the show running-configuration, show isakmp [policy], and show crypto map commands. Other show commands can be used to check the current configuration of the router. This is covered later in this module.

Step 4 – Ensure that the network works without encryption. This step should not be avoided. Ensure that basic connectivity has been achieved between IPSec peers using the desired IP services before configuring IPSec. Use the ping command to check basic connectivity.

Step 5 – Ensure that the ACLs on perimeter devices are compatible with IPSec. Ensure that perimeter routers and the IPSec peer router interfaces permit IPSec traffic. Use the show access-lists command for this step.