[ LiB ]Monitoring and Maintaining QoS for VPNs Practical Exercise 14-1: IPSec Router-to-Router

Scenarios

The scenarios presented in this chapter help you gain a more complete understanding of configuring IPSec through practical application. You will go through the necessary configuration tasks in their logical progression. The scenarios cover the following topics:

Scenario 14-1: Defining IKE Parameters

In this scenario, you define two IKE proposals. The first uses DES, MD5, preshared keys, D-H group 1, and a lifetime of 600 seconds. The second proposal uses 3DES, SHA, RSA signatures, D-H group 2, and a lifetime of 1 day.

Step 1. Identify the policy to create:




R1(config)#crypto isakmp policy priority

Step 2. Specify the encryption algorithm to use:




R1(config-isakmp)#encryption 3des

Step 3. Specify the hash algorithm to use:




R1(config-isakmp)#hash {sha | md5}

Step 4. Specify the authentication method:




R1(config-isakmp)#authentication {rsa-sig | rsa-encr | pre-share}

Step 5. Specify the D-H group to use:




R1(config-isakmp)#group {1 | 2}

Step 6. Specify the lifetime, in seconds, for the security association:




R1(config-isakmp)#lifetime seconds

Example 14-1 shows the commands you can use to complete this scenario.

Example 14-1. Defining IKE Proposals
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#hash md5
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 1
R1(config-isakmp)#lifetime 600
R1(config-isakmp)#exit
R1(config)#crypto isakmp policy 20
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication rsa-sig
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 86400

Scenario 14-2: Defining IPSec Transform Sets

In this scenario, you define two transform sets. The first, named set1, uses the authentication SHA HMAC variant using transport mode. The second, named set2, uses the 3DES encryption algorithm with the SHA authentication algorithm using tunnel mode.

Follow these steps to define your transform set:

Step 1. Define your transform set:




R1(config)#crypto ipsec transform-set transform-set-name transform1
  [transform2 [transform3]]

Step 2. Optionally define the mode to use with the transform set:




R1(cfg-crypto-tran)#mode [tunnel | transport]

Example 14-2 shows the commands necessary on R1 to complete this scenario.

Example 14-2. Defining IPSec Transform Sets
R1(config)#crypto ipsec transform-set set1 ah-sha-hmac
R1(cfg-crypto-tran)#mode transport
R1(cfg-crypto-tran)#exit
R1(config)#crypto ipsec transform-set set2 esp-3des esp-sha-hmac
R1(cfg-crypto-tran)#mode tunnel

[ LiB ]Monitoring and Maintaining QoS for VPNs Practical Exercise 14-1: IPSec Router-to-Router