11-6
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 11 Allowing Remote Management
Allowing a VPN Management Connection
Step 2 To set the Diffie-Hellman group used for key exchange, enter the following command:
FWSM/contexta(config)# isakmp policy
priority
group {1 | 2}
Group 1 is 768 bits, and Group 2 is 1024 bits (and therefore more secure).
Step 3 To set the authentication algorithm, enter the following command:
FWSM/contexta(config)# isakmp policy
priority
hash {md5 | sha}
The sha keyword is more secure than md5.
Step 4 To set the IKE authentication method as a shared key, enter the following command:
FWSM/contexta(config)# isakmp policy
priority
authentication pre-share
You can alternatively use certificates instead of a shared key by specifying the rsa-sig option. See the
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command
Reference for more information about this method.
Step 5 To enable IKE on the tunnel interface, enter the following command:
FWSM/contexta(config)# isakmp enable
interface_name
Step 6 To set the authentication and encryption methods used for IPSec tunnels in a transform set, enter the
following command:
FWSM/contexta(config)# crypto ipsec transform-set
transform_name
{[ah-md5-hmac |
ah-sha-hmac] | [esp-md5-hmac | esp-sha-hmac]} {esp-des | esp-3des}
You refer to this transform set when you configure the VPN client group or a site-to-site tunnel.
You can refer to up to 6 transform sets for the tunnel, and the sets are checked in order until the
transforms match.
The authentication and encryption algorithms of this transform typically match the IKE policy
(isakmp policy commands). For site-to-site tunnels, this transform must match the peer transform.
Typically, you need to specify one authentication option and one encryption option.
Authentication options include the following (from most secure to least secure):
• ah-sha-hmac
• ah-md5-hmac
• esp-sha-hmac
• esp-md5-hmac
Encryption options include the following (from most secure to least secure):
• esp-3des
• esp-des
Note esp-null (no encryption) is for testing purposes only.
Although you can specify authentication alone, or encryption alone, these methods are not secure. You
can also specify two authentication options, but this method does not increase security and also slows
down the FWSM because each packet is authenticated two times.
For example, to configure the IKE policy and the IPSec transform sets, enter the following commands:
FWSM/contexta(config)# isakmp policy 1 authentication pre-share
FWSM/contexta(config)# isakmp policy 1
encryption 3des
To Next Page
Loading...
Need help?
General