Defining IKE Phase 2 (IPSec) Policy


Once you have your IKE Phase 1 policy defined, you next identify your IKE Phase 2 (IPSec) policy. Again you first need to write down exactly what the policy should look like, as in Table 8.4.

Table 8.4. IKE Phase 2 Configuration Parameters

Policy

R1 Configuration

R2 Configuration

Protected networks

30.1.1.0/24

30.2.2.0/24

Transport used

TCP

TCP

IPSec policy

ESP-DES, AH-MD5

ESP-DES, AH-MD5

IPSec interface

S0/0

S0/0

Peer hostname

R2

R1

D-H authentication

Preshared

Preshared

Example of IKE Phase 2 (IPSec) Policy

The IKE phase 2 policy that would be implemented to achieve the preceding security policy for R1 would look like:

 
 R1 (config)# access-list 122 permit tcp 30.1.1.0 0.0.0.255 30.2.2.0 0.0.0.255 R1 (config)# crypto ipsec transform-set MYSET esp-des ah-md5-hmac R1 (config)# crypto map MYMAP 10 ipsec-isakmp R1 (config-crypto-map)# match ip address 122 R1 (config-crypto-map)# set peer 30.200.200.2 R1 (config-crypto-map)# set transform-set MYSET R1 (config-crypto-map)# interface serial 0/0 R1 (config-if)# crypto map MYMAP 

Crypto access list 122 defines our interesting traffic from R1's point of view. TCP traffic sourced from 30.1.1.0/24 destined to 3.2.2.0/24 is considered interesting and therefore will be encrypted when sent toward R2.

Our IPSec policy states that we will transform our cleartext data using ESP to provide confidentiality using the DES encryption algorithm and also provide data integrity using AH and the MD-5 algorithm. We named this transform MYSET.

Next, we need to tie our IKE Phase 1 and IKE Phase 2 parameters together. We performed this function using a crypto map named MYMAP, which uses a sequence number of 10. You can define additional crypto map entries to additional IPSec peers using different sequence numbers . When we define our crypto map, we issue the special keywords ipsec-isakmp . This keyword says to use IKE (ISAKMP) to create our SAs. If you do not issue these keywords, the crypto map assumes you want to use Cisco's legacy Cisco Encryption Technology (CET).

Inside our crypto map, we tied our crypto access list with the match ip address 122 command, thus identify the interesting traffic for this crypto map. Once interesting traffic is observed for this crypto map, we defined our end IPSec gateway, which is 30.200.200.2. Next, in our crypto map, we defined how IPSec will handle the plaintext data. To do so, we use the transform set name MYSET.

Finally, to get IPSec up and running on R1, we need to activate our crypto map. To do that, we simply apply it to an interface. In this case, R1 applied the crypto map to its serial 0/0 interface.



CCSP SECUR Exam Cram 2
CCSP SECUR Exam Cram 2 (642-501)
ISBN: B000MU86IQ
EAN: N/A
Year: 2003
Pages: 291
Authors: Raman Sud

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net