Tuesday, July 23, 2013

IPSec VPN sample configuration

int fa0/0
ip address 192.168.1.33 255.255.255.224
no shut
int se0/0
ip address 61.0.0.5 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 se0/0

cry isakmp policy 1                                >>>>>>>>>>>>>>>>>Phase-1
!--- Defines an IKE policy. Use the crypto isakmp policy command in global configuration mode.

!--- IKE policies define a set of parameters that are used during the IKE phase I negotiation.

 authentication pre-share
encryption 3des
hash sha 
group 2

 
!--- Specifies preshared keys as the authentication method.





cry isakmp key abc123 address 71.0.0.5           >>>>>>>>>>>>> Defining key






!--- Configures a preshared authentication key, used in global configuration mode. 













cry ipsec transform-set abc1 esp-3des esp-sha-hmac  >>>>>>> Phase-2




!--- Defines a transform-set. This is an acceptable combination of security protocols and algorithms, which has to be matched on the peer router.









mode tunnel  >>>>defining tunel mode











access-list 120 permit ip 192.168.1.32 0.0.0.31 192.168.1.64 0.0.0.31 >>>> defining interesting traffic











crypto map vpnmap 10 ipsec-isakmp     >> creating a crypto map using ipsec and isakmp  





set transform-set abc1





set peer 71.0.0.5

!---
Sets the IP address of the remote end





match address 120


!--- This is used to assign an extended access list to a crypto map entry which is used by IPSec to determine which traffic should be protected by crypto and which traffic does not 


need crypto protection.









int se0/0   >>>>>>apply the cryptomap on the exit interface/ WAN interface







crypto map vpnmap











#### change the addresses accordingly to configure the other end.  WAN Interfaces are not directly connected for the above topology.







Parameters and
Accepted values:



=========================



 1.Message
encryption algorithm:





56 bit DES



168 bit 3DES



AES 128 bit key



AES 192 bit key



AES 256 bit key





default: 3DES





2. Message integrity (hash) algorithm:





SHA-1 (HMAC variant) 160 bit



 sha





MD5 (HMAC variant) 128 bit   





default: SHA-1





3. Peer Authentication method:







Preshare keys



RSA signature



CRACK 





default: preshared





4. Key exchange parameters (DH group ID):





768 bit DH group 1



1024 bit DH
group 2



1536 bit DH
group 5



Elliptical
curve field size: 163 bits group 7





default: 1024 bit DH group2





5. ISAKMP established life time  :







default: 86400 seconds










Posted by



at







































No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)