Once you have your IKE Phase 1 policy defined, you next identify your IKE Phase 2 (IPSec) policy. Again you first need to write down exactly what the policy should look like, as in Table 8.4. Table 8.4. IKE Phase 2 Configuration Parameters
Example of IKE Phase 2 (IPSec) PolicyThe IKE phase 2 policy that would be implemented to achieve the preceding security policy for R1 would look like: R1 (config)# access-list 122 permit tcp 30.1.1.0 0.0.0.255 30.2.2.0 0.0.0.255 R1 (config)# crypto ipsec transform-set MYSET esp-des ah-md5-hmac R1 (config)# crypto map MYMAP 10 ipsec-isakmp R1 (config-crypto-map)# match ip address 122 R1 (config-crypto-map)# set peer 30.200.200.2 R1 (config-crypto-map)# set transform-set MYSET R1 (config-crypto-map)# interface serial 0/0 R1 (config-if)# crypto map MYMAP Crypto access list 122 defines our interesting traffic from R1's point of view. TCP traffic sourced from 30.1.1.0/24 destined to 3.2.2.0/24 is considered interesting and therefore will be encrypted when sent toward R2. Our IPSec policy states that we will transform our cleartext data using ESP to provide confidentiality using the DES encryption algorithm and also provide data integrity using AH and the MD-5 algorithm. We named this transform MYSET. Next, we need to tie our IKE Phase 1 and IKE Phase 2 parameters together. We performed this function using a crypto map named MYMAP, which uses a sequence number of 10. You can define additional crypto map entries to additional IPSec peers using different sequence numbers . When we define our crypto map, we issue the special keywords ipsec-isakmp . This keyword says to use IKE (ISAKMP) to create our SAs. If you do not issue these keywords, the crypto map assumes you want to use Cisco's legacy Cisco Encryption Technology (CET). Inside our crypto map, we tied our crypto access list with the match ip address 122 command, thus identify the interesting traffic for this crypto map. Once interesting traffic is observed for this crypto map, we defined our end IPSec gateway, which is 30.200.200.2. Next, in our crypto map, we defined how IPSec will handle the plaintext data. To do so, we use the transform set name MYSET. Finally, to get IPSec up and running on R1, we need to activate our crypto map. To do that, we simply apply it to an interface. In this case, R1 applied the crypto map to its serial 0/0 interface. |