ISAKMP/IKE Phase 1 Preparation

ISAKMP IKE Phase 1 Preparation

The remainder of this chapter will discuss how to set up and modify L2L connections, and will examine the kinds of issues you'll deal with when using these connections. Before you begin adding an L2L session, you'll first need to create an ISAKMP/IKE Phase 1 transform set that you'll use for the L2L session. This section will discuss the ISAKMP/IKE Phase 1 transforms that you can use or create for your L2L connection.

Existing IKE Policies

Cisco already has some predefined Phase 1 transforms that you can use for your L2L sessions. If you recall from Chapter 7, "Concentrator Remote Access Connections with IPsec," to access the concentrator's existing Phase 1 transforms, you go to the Configuration > Tunneling and Security > IPsec > IKE Proposals screen.

Table 9-2 lists the L2L Phase 1 transforms that exist and are activated, by default, on the concentrators. Of course, there are other predefined transforms that are not activated by default. You can use the ones Cisco has predefined, modify these, or create your own.

Table 9-2. Concentrator Predefined Active ISAKMP/IKE Phase 1 Transforms

Proposal Name

Encryption Algorithm

HMAC Function

DH Key Group

Device Authentication

IKE-3DES-MD5

3DES

MD5

2

Pre-shared keys

IKE-3DES-MD5-DH1

3DES

MD5

1

Pre-shared keys

IKE-DES-MD5

DES

MD5

1

Pre-shared keys

IKE-3DES-MD5-RSA

3DES

MD5

2

RSA signatures

IKE-AES128-SHA

AES-128

SHA

2

Pre-shared keys

 

IKE Policy Screen

From the IKE policy screen, click the Add button to add a new proposal or select an existing proposal by clicking its name and click the Modify button to change it. This takes you to the IKE policies configuration screen shown in Figure 9-2.

Figure 9-2. IKE Policies Screen

I discussed the configuration of these options in chapter 7, so I'll focus only on those items important for L2L sessions. The Authentication Mode parameter specifies the type of device authentication that is to be used. The parameter values ending in "(XAUTH)" or "(HYBRID)" can be used by remote access clients. Therefore, your only options for parameter are these three:

  • "Preshared Keys"
  • "RSA Digital Certificate"
  • "DSA Digital Certificate"

The only Cisco products that support DSA certificates are Cisco VPN 3000 concentrators and the PIX and ASA security appliances running 7.0 or higher. Pre-shared keys typically are used if the number of L2L peers is small; if the number of peers is large, certificates are the preferred device authentication method, because they scale better.

Another parameter is the Diffie-Hellman Group parameter. Most remote peers will support only DH group 1 and 2 keys, so be sure that your proposal supports one of these two. Cisco routers, PIX and ASA security appliances, and VPN 3000 concentrators also support group 5, which is the most secure of the three (group 7 is used by PDAs).

Tip

A matching ISAKMP/IKE Phase 1 transform set must be found between two L2L peers before an ISAKMP/IKE Phase 1 management connection is built. The default lifetime of the management connection on all of Cisco products is 86,400 seconds (1 day). If the remote peer follows the IPsec standard, this is the only value that doesn't have to match between the two peers when comparing management transforms; however, other vendors don't necessary follow the IPsec standards verbatim. For example, if you're building an L2L session to a CheckPoint/Nokia device, you will need to match this value between the peers; otherwise the negotiation of the transform will fail!


Part I: VPNs

Overview of VPNs

VPN Technologies

IPsec

PPTP and L2TP

SSL VPNs

Part II: Concentrators

Concentrator Product Information

Concentrator Remote Access Connections with IPsec

Concentrator Remote Access Connections with PPTP, L2TP, and WebVPN

Concentrator Site-to-Site Connections

Concentrator Management

Verifying and Troubleshooting Concentrator Connections

Part III: Clients

Cisco VPN Software Client

Windows Software Client

3002 Hardware Client

Part IV: IOS Routers

Router Product Information

Router ISAKMP/IKE Phase 1 Connectivity

Router Site-to-Site Connections

Router Remote Access Connections

Troubleshooting Router Connections

Part V: PIX Firewalls

PIX and ASA Product Information

PIX and ASA Site-to-Site Connections

PIX and ASA Remote Access Connections

Troubleshooting PIX and ASA Connections

Part VI: Case Study

Case Study

Index



The Complete Cisco VPN Configuration Guide
The Complete Cisco VPN Configuration Guide
ISBN: 1587052040
EAN: 2147483647
Year: 2006
Pages: 178
Authors: Richard Deal

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net