Home » Cisco Manuals » Bridges & Routers » Cisco 520-T1 » Manual Viewer

Cisco 520-T1 Software Guide - Page 67

Con the IKE Policy, Example

UPC - 882658299889

Add to My Manuals
Save this manual to your list of manuals

Page 67 highlights

Chapter 6 Configuring a VPN Using Easy VPN and an IPsec Tunnel Configure the IKE Policy Note The procedures in this chapter assume that you have already configured basic router features as well as PPPoE or PPPoA with NAT, DCHP and VLANs. If you have not performed these configurations tasks, see Chapter 1, "Basic Router Configuration," Chapter 3, "Configuring PPP over Ethernet with NAT," Chapter 4, "Configuring PPP over ATM with NAT," and Chapter 5, "Configuring a LAN with DHCP and VLANs" as appropriate for your router. Note The examples shown in this chapter refer only to the endpoint configuration on the Cisco Secure Router 520 Series router. Any VPN connection requires both endpoints be configured properly to function. See the software configuration documentation as needed to configure VPN for other router models. Configure the IKE Policy Perform these steps to configure the Internet Key Exchange (IKE) policy, beginning in global configuration mode: Step 1 Step 2 Command or Action crypto isakmp policy priority Example: Router(config)# crypto isakmp policy 1 Router(config-isakmp)# encryption {des | 3des | aes | aes 192 | aes 256} Example: Router(config-isakmp)# encryption 3des Router(config-isakmp)# Purpose Creates an IKE policy that is used during IKE negotiation. The priority is a number from 1 to 10000, with 1 being the highest. Also enters the Internet Security Association Key and Management Protocol (ISAKMP) policy configuration mode. Specifies the encryption algorithm used in the IKE policy. The example specifies 168-bit data encryption standard (DES). Step 3 Step 4 hash {md5 | sha} Example: Router(config-isakmp)# hash md5 Router(config-isakmp)# Specifies the hash algorithm used in the IKE policy. The example specifies the Message Digest 5 (MD5) algorithm. The default is Secure Hash standard (SHA-1). authentication {rsa-sig | rsa-encr | pre-share} Example: Router(config-isakmp)# authentication pre-share Router(config-isakmp)# Specifies the authentication method used in the IKE policy. The example specifies a pre-shared key. OL-14210-01 Cisco Secure Router 520 Series Software Configuration Guide 6-3

Section	Page
Cisco Secure Router 520 Series Software Configuration Guide	1
Contents	3
Preface	9
Objective	9
Audience	9
Organization	10
This guide is organized into the following chapters and appendix.	10
Conventions	11
Related Documentation	16
Obtaining Documentation and Submitting a Service Request	17
Part 1	19
Getting Started	19
Basic Router Configuration	21
Viewing the Default Configuration	22
Information Needed for Customizing the Default Parameters	22
Interface Port Labels	23
Configuring Basic Parameters	23
Configure Global Parameters	24
Example:	24
Example:	24
Example:	24
Example:	24
Configure Fast Ethernet LAN Interfaces	24
Configure WAN Interfaces	24
Configure the Fast Ethernet WAN Interface	25
Example:	25
Example:	25
Example:	25
Example:	25
Configure the ATM WAN Interface	25
Example:	26
Example:	26
Example:	26
Example:	26
Configure the Wireless Interface	26
Configuring a Loopback Interface	26
Example:	27
ip address ip-address mask	27
Example:	27
Example:	27
Configuration Example	27
Verifying Your Configuration	27
Configuring Command-Line Access to the Router	28
Example:	28
Example:	28
Example:	28
Example:	28
Example:	29
Example:	29
Example:	29
Example:	29
Example:	29
Configuration Example	29
Configuring Static Routes	30
Example:	30
Example:	30
Configuration Example	30
Verifying Your Configuration	30
Configuring Dynamic Routes	31
Configuring RIP	31
Example:	31
Example:	31
Example:	31
Example:	32
Example:	32
Configuration Example	32
Verifying Your Configuration	32
Part 2	33
Configuring Your Router for Ethernet and DSL Access	33
Sample Network Deployments	35
For Ethernet-Based Network Deployments	35
For DSL-Based Network Deployments	35
Configuring PPP over Ethernet with NAT	37
PPPoE	38
NAT	38
Configuration Tasks	38
Configure the Virtual Private Dialup Network Group Number	38
Example:	38
Example:	38
Example:	39
Example:	39
Example:	39
Example:	39
Configure the Fast Ethernet WAN Interfaces	39
Example:	39
Example:	39
Example:	40
Example:	40
Configure the Dialer Interface	40
Example:	40
Example:	40
Example:	40
Example:	40
Example:	41
Example:	41
Example:	41
Example:	41
Example:	41
Example:	41
Configure Network Address Translation	41
Example:	42
Example 1:	42
Example 2:	42
Example:	42
Example:	42
Example:	42
Example:	43
Example:	43
Example:	43
Example:	43
Example:	43
Example:	43
Configuration Example	44
Verifying Your Configuration	44
Configuring PPP over ATM with NAT	47
PPPoA	48
NAT	48
Configuration Tasks	48
Configure the Dialer Interface	48
Example:	49
Example:	49
Example:	49
Example:	49
Example:	49
Example:	49
Example:	49
Example:	50
Example:	50
Example:	50
Configure the ATM WAN Interface	51
Example:	51
Example:	51
Example:	51
Example:	51
Example:	52
Example:	52
Configure DSL Signaling Protocol	52
Configuring ADSL	52
Verify the Configuration	53
Configure Network Address Translation	53
Example:	53
Example 1:	53
Example 2:	53
Example:	53
Example:	54
Example:	54
Example:	54
Example:	54
Example:	54
Example:	54
Example:	55
Example:	55
Configuration Example	55
Verifying Your Configuration	56
Configuring a LAN with DHCP and VLANs	57
DHCP	57
VLANs	58
Configuration Tasks	58
Configure DHCP	58
Example:	58
Example:	58
Example:	58
Example:	59
Example:	59
Example:	59
Example:	59
Example:	59
Example:	59
Example:	59
Configuration Example	60
Verify Your DHCP Configuration	60
Configure VLANs	61
Example:	61
Example:	61
Example:	61
Assign a Switch Port to a VLAN	62
Example:	62
Example:	62
Example:	62
Verify Your VLAN Configuration	62
Configuring a VPN Using Easy VPN and an IPsec Tunnel	65
Cisco Easy VPN	66
Configuration Tasks	66
Configure the IKE Policy	67
Example:	67
Example:	67
Example:	67
Example:	67
Example:	68
Example:	68
Example:	68
Configure Group Policy Information	68
Example:	68
Example:	68
Example:	68
Example:	69
Example:	69
Example:	69
Apply Mode Configuration to the Crypto Map	69
Example:	69
Example:	69
Enable Policy Lookup	70
Example:	70
Example:	70
Example:	70
Example:	70
Configure IPsec Transforms and Protocols	70
Example:	71
Example:	71
Configure the IPsec Crypto Method and Parameters	71
Example:	71
Example:	71
Example:	72
Example:	72
Example:	72
Apply the Crypto Map to the Physical Interface	72
Example:	72
Example:	73
Example:	73
Create an Easy VPN Remote Configuration	73
Example:	73
Example:	73
Example:	73
Example:	73
Example:	74
Example:	74
Example:	74
Example:	74
Verifying Your Easy VPN Configuration	74
Configuration Example	74
Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation	77
GRE Tunnels	78
VPNs	78
Configuration Tasks	78
Configure a VPN	78
Configure the IKE Policy	79
Example:	79
Example:	79
Example:	79
Example:	79
Example:	79
Example:	79
Example:	79
Configure Group Policy Information	80
Example:	80
Example:	80
Example:	80
Example:	80
Example:	80
Example:	80
Enable Policy Lookup	81
Example:	81
Example:	81
Example:	81
Example:	81
Configure IPsec Transforms and Protocols	81
Example:	82
Example:	82
Configure the IPsec Crypto Method and Parameters	82
Example:	82
Example:	82
Example:	83
Example:	83
Example:	83
Apply the Crypto Map to the Physical Interface	83
Example:	83
Example:	84
Example:	84
Configure a GRE Tunnel	84
Example:	84
Example:	84
Example:	84
Example:	84
Example:	85
Example:	85
Example:	85
Example:	85
Example:	85
Configuration Example	85
Configuring a Simple Firewall	89
Configuration Tasks	90
Configure Access Lists	91
Example:	91
Example:	91
Configure Inspection Rules	92
Example:	92
Example:	92
Apply Access Lists and Inspection Rules to Interfaces	92
Example:	92
Example:	92
Example:	92
Example:	93
Example:	93
Example:	93
Configuration Example	93
Configuring a Wireless LAN Connection	95
Configuration Tasks	96
Configure the Root Radio Station	96
Example:	96
Example:	96
Example:	97
Example:	97
Example:	97
Example:	97
Example:	97
Example:	97
Example:	97
Example:	98
Example:	98
Example:	98
Example:	98
Configure Bridging on VLANs	98
Example:	98
Example:	98
Example:	99
Example:	99
Example:	99
Example:	99
Configure Radio Station Subinterfaces	99
Example:	99
Example:	99
Example:	100
Example:	100
Example:	100
Example:	100
Configuration Example	100
Part 3	103
Configuring Additional Features and Troubleshooting	103
Additional Configuration Options	105
Configuring Security Features	107
Authentication, Authorization, and Accounting	107
Configuring AutoSecure	108
Configuring Access Lists	108
Access Groups	109
Guidelines for Creating Access Groups	109
Configuring a CBAC Firewall	109
Configuring Cisco IOS Firewall IDS	110
Configuring VPNs	110
Troubleshooting	111
Getting Started	111
Before Contacting Cisco or Your Reseller	111
ADSL Troubleshooting	112
ATM Troubleshooting Commands	112
ping atm interface Command	112
Example 12-1 Determining If a PVC Is in Use	112
show interface Command	113
Example 12-2 Viewing Status of Selected Interfaces	113
show atm interface Command	115
Example 12-3 Viewing Information About an ATM Interface	115
debug atm Commands	115
Guidelines for Using Debug Commands	115
debug atm errors Command	116
Example 12-4 Viewing ATM Errors	116
debug atm events Command	116
Example 12-5 Viewing ATM Interface Processor Events-Success	116
Example 12-6 Viewing ATM Interface Processor Events-Failure	117
debug atm packet Command	117
Example 12-7 Viewing ATM Packet Processing	118
Software Upgrade Methods	118
Recovering a Lost Password	119
Change the Configuration Register	119
Reset the Router	120
Reset the Password and Save Your Changes	121
Reset the Configuration Register Value	121
Part 4	123
Reference Information	123
A	125
Cisco IOS Software Basic Skills	125
Configuring the Router from a PC	125
Understanding Command Modes	126
Getting Help	128
Enable Secret Passwords and Enable Passwords	128
Entering Global Configuration Mode	129
Using Commands	129
Abbreviating Commands	130
Undoing Commands	130
Command-Line Error Messages	130
Saving Configuration Changes	130
Summary	131
Where to Go Next	131
B	133
Concepts	133
ADSL	133
Network Protocols	134
IP	134
Routing Protocol Options	134
RIP	134
PPP Authentication Protocols	135
PAP	135
CHAP	135
TACACS+	136
Network Interfaces	136
Ethernet	136
ATM for DSL	136
PVC	137
Dialer Interface	137
NAT	137
Easy IP (Phase 1)	138
Easy IP (Phase 2)	138
QoS	139
IP Precedence	139
PPP Fragmentation and Interleaving	139
CBWFQ	140
RSVP	140
Low Latency Queuing	140
Access Lists	141
ROM Monitor	143
Entering the ROM Monitor	143
ROM Monitor Commands	144
Command Descriptions	145
Disaster Recovery with TFTP Download	145
TFTP Download Command Variables	146
Required Variables	146
Optional Variables	146
Using the TFTP Download Command	147
Configuration Register	147
Changing the Configuration Register Manually	148
Changing the Configuration Register Using Prompts	148
Console Download	149
Command Description	149
Error Reporting	150
Debug Commands	150
Exiting the ROM Monitor	151
D	153
Common Port Assignments	153

Match case Limit results 1 per page

6-3

Cisco Secure Router 520 Series Software Configuration Guide

OL-14210-01

Chapter 6

Configuring a VPN Using Easy VPN and an IPsec Tunnel

Configure the IKE Policy

Note

The procedures in this chapter assume that you have already configured basic router features as well as

PPPoE or PPPoA with NAT, DCHP and VLANs. If you have not performed these configurations tasks,

see

Chapter 1, “Basic Router Configuration,” Chapter 3, “Configuring PPP over Ethernet with NAT,”

Chapter 4, “Configuring PPP over ATM with NAT,”

and

Chapter 5, “Configuring a LAN with DHCP and

VLANs”

as appropriate for your router.

Note

The examples shown in this chapter refer only to the endpoint configuration on the

Cisco Secure Router 520 Series router. Any VPN connection requires both endpoints be configured

properly to function. See the software configuration documentation as needed to configure VPN for

other router models.

Configure the IKE Policy

Perform these steps to configure the Internet Key Exchange (IKE) policy, beginning in global

configuration mode:

Command or Action

Purpose

Step 1

crypto isakmp policy

priority

Example:

Router(config)#

crypto isakmp policy 1

Router(config-isakmp)#

Creates an IKE policy that is used during IKE

negotiation. The priority is a number from 1 to

10000, with 1 being the highest.

Also enters the Internet Security Association Key

and Management Protocol (ISAKMP) policy

configuration mode.

Step 2

encryption

{

des | 3des | aes | aes 192 | aes 256

}

Example:

Router(config-isakmp)#

encryption 3des

Router(config-isakmp)#

Specifies the encryption algorithm used in the IKE

policy.

The example specifies 168-bit data encryption

standard (DES).

Step 3

hash

{

md5 | sha

}

Example:

Router(config-isakmp)#

hash md5

Router(config-isakmp)#

Specifies the hash algorithm used in the IKE

policy.

The example specifies the Message Digest 5

(MD5) algorithm. The default is Secure Hash

standard (SHA-1).

Step 4

authentication

{

rsa-sig | rsa-encr | pre-share

}

Example:

Router(config-isakmp)#

authentication

pre-share

Router(config-isakmp)#

Specifies the authentication method used in the

IKE policy.

The example specifies a pre-shared key.