CCIE安全学习笔记:IOS IPSec for Preshared Keys-Complete

Check the Current Configuration
show running-config
show crypto isakmp policy
show crypto map
show crypto ipsec transform-set

Configure IKE
fum2(config)# crypto isakmp enable
fum2(config)# no crypto isakmp enable

Create IKE Policies
Parameter   Preferred (stronger)  2nd Choice  3rd Choice
Encryption algorithm  3des    des   des
Hash algorithm   sha    sha   md5
Authentication method  preshare   preshare  preshare
DH key exchange group  2    2   1
IKE SA lifetime  43,200    43,200   86,400

fum1#conf t
fum1(config)#crypto isakmp policy 100
fum1(config-isakmp)#authentication {pre-share | rsa-encr | rsa-sig}
fum1(config-isakmp)#encryption {des | 3des} ( depending on feature set)
fum1(config-isakmp)#hash {md5 | sha}
fum1(config-isakmp)#group {1 | 2}
fum1(config-isakmp)#lifetime <60 to 86400 seconds>
fum1(config)#crypto isakmp policy 100
fum1(config-isakmp)#authentication pre-share
fum1(config-isakmp)#encryption 3des
fum1(config-isakmp)#hash sha
fum1(config-isakmp)#group 2
fum1(config-isakmp)#lifetime 43200
fum1(config-isakmp)#exit

fum1(config)#[no] crypto isakmp policy priority

fum1#conf t
fum1(config)#crypto isakmp policy 200
fum1(config-isakmp)#authentication pre-share
fum1(config-isakmp)#group 2
fum1(config-isakmp)#lifetime 43200
fum1(config-isakmp)#crypto isakmp policy 300
fum1(config-isakmp)#authentication pre-share
fum1(config-isakmp)#hash md5
fum1(config-isakmp)#exit

Configure Preshared Keys
fum1(config)#[no] crypto isakmp identity {address | hostname}
fum1(config)#crypto isakmp identity hostname

fum1(config)#crypto isakmp key cisco123 address 10.0.50.2
fum1(config)#crypto isakmp policy 100
fum1(config-isakmp)#authentication pre-share
fum1(config-isakmp)#encryption 3des
fum1(config-isakmp)#group 2
fum1(config-isakmp)#lifetime 43200
fum1(config-isakmp)#exit

fum2(config)#crypto isakmp key cisco123 address 10.0.1.21
fum2(config)#crypto isakmp policy 100
fum2(config-isakmp)#authentication pre-share
fum2(config-isakmp)#encryption 3des
fum2(config-isakmp)#group 2
fum2(config-isakmp)#lifetime 43200
fum2(config-isakmp)#exit

Configure IPSec
Configure Transform Set Suites
fum1(config)#crypto ipsec transform-set transform-set-name trans1 [trans2 [trans3]]
fum1(config)#no crypto ipsec transform-set transform-set-name

fum1#conf t
fum1(config)#crypto ipsec transform-set MD5-DES esp-md5-hmac esp-des
fum1(cfg-crypto-trans)#crypto ipsec transform-set DES-ONLY esp-des
fum1(cfg-crypto-trans)#crypto ipsec transform-set AH-ONLY ah-sha-hmac
fum1(cfg-crypto-trans)#crypto ipsec transform-set CPU-HOG ah-md5-hmac
esp-md5-hmac esp-des
fum1(cfg-crypto-trans)#exit
fum1(config)#

Configure Global IPSec Security Association Lifetimes
fum1(config)#crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}
fum1(config)#no crypto ipsec security-association lifetime {seconds | kilobytes}

fum1(config)#crypto ipsec security-association lifetime seconds 1800
fum1(config)#crypto ipsec security-association lifetime kilobytes 2300000

Configure Crypto ACLs
fum1(config)#access-list 125 permit tcp 192.168.0.0 0.0.127.255 192.168.130.0 0.0.0.255
fum2(config)#access-list 150 permit tcp 192.168.130.0 0.0.0.255 192.168.0.0 0.0.127.255

Configure Crypto Maps
fum1(config)#crypto map map-name seq-num ipsec-manual
fum1(config)#crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name][discover]
fum1(config)#no crypto map map-name [seq-num]

fum1(config)#crypto map testmap 50 ipsec-isakmp
fum1(config-crypto-map)#description VPN Link to branch in Tacoma, WA
fum1(config-crypto-map)#set peer 10.0.50.2
fum1(config-crypto-map)#set security-association lifetime seconds 1800
fum1(config-crypto-map)#set pfs group2
fum1(config-crypto-map)#set transform-set CPU-HOG
fum1(config-crypto-map)#match address 125
fum1(config-crypto-map)#exit
fum1(config)#

fum1(config)#crypto map testmap 100 ipsec-isakmp
fum1(config-crypto-map)#description VPN Link to branch in San Antonio, TX
fum1(config-crypto-map)#set peer 10.1.195.130
fum1(config-crypto-map)#set security-association lifetime seconds 2700
fum1(config-crypto-map)#set pfs group2
fum1(config-crypto-map)#set transform-set DES-ONLY
fum1(config-crypto-map)#match address 150
fum1(config-crypto-map)#exit

Apply the Crypto Maps to the Interface
fum1(config-if)#crypto map map-name

fum1(config)#interface serial 0
fum1(config-if)#crypto map testmap
fum1(config-if)#exit