|
|
This chapter describes how to enable and configure IKE, as well as how to disable IKE, if needed. IKE is a key management protocol standard that is used in conjunction with IPSec.
For IKE background information, see "About Internet Key Exchange (IKE)."
For a complete description of the IPSec-related commands used in this chapter, see "Command Reference." For a complete description of the non-IPSec commands used in this chapter, refer to the "Command Reference" chapter within the Configuration Guide for the Cisco Secure PIX Firewall Version 5.2.
This chapter includes the following sections:
To enable and configure IKE, perform the following steps:
 |
Note If you enter a default value for a given policy parameter, it will not be written in the configuration. If you do not specify a value for a given policy parameter, the default value is assigned. |
a. Identify the policy to create. Each policy is uniquely identified by the priority number you assign.
isakmp policy priority
isakmp policy 20
b. Specify the encryption algorithm:
isakmp policy priority encryption des | 3des
isakmp policy 20 encryption des
c. Specify the hash algorithm:
isakmp policy priority hash md5 | sha
isakmp policy 20 hash md5
d. Specify the authentication method:
isakmp policy priority authentication pre-share | rsa-sig
isakmp policy 20 authentication rsa-sig
|
Note If you specify the authentication method of pre-shared keys, you are required to manually configure these keys. See "Configuring IKE Pre-Shared (Authentication) Keys Manually." |
e. Specify the Diffie-Hellman group identifier:
isakmp policy priority group 1 | 2
isakmp policy 20 group2
f. Specify the security association's lifetime:
isakmp policy priority lifetime seconds
isakmp policy 20 lifetime 5000
The following example shows two policies with policy 20 as the highest priority, policy 30 as the next priority, and the existing default policy as the lowest priority:
isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 authentication rsa-sig isakmp policy 20 group 2 isakmp policy 20 lifetime 5000 isakmp policy 30 authentication pre-share isakmp policy 30 lifetime 10000
In this example, the encryption des of policy 20 would not appear in the written configuration because this is the default for the encryption algorithm parameter.
Step 2 (Optional) View all existing IKE policies:
show isakmp policy
The following is an example of the output after the policies 20 and 30 in the previous example were configured:
Protection suite priority 20
encryption algorithm: DES - Data Encryption Standard (56 bit keys)
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 5000 seconds, no volume limit
Protection suite priority 30
encryption algorithm: DES - Data Encryption Standard (56 bit keys)
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 10000 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys)
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
|
Note Although the output shows "no volume limit" for the lifetimes, you can currently only configure a time lifetime (such as 86,400 seconds) with IKE; volume limit lifetimes are not currently configurable. |
If you selected the IKE authentication method of pre-shared keys within Step 3d in the section "Enabling and Configuring IKE," manually configure these keys between the PIX Firewall and its peer(s). To configure a pre-shared key on the PIX Firewall, perform the following step:
Specify the pre-shared key that the PIX Firewall and its peer will use for authentication and the peer's address:
isakmp key keystring address peer-address [netmask mask]
For example:
isakmp key 1234567890 address 192.168.1.100
The pre-shared key is 1234567890, and the peer's address is 192.168.1.100.
|
Note Netmask allows you to configure a single key to be shared among multiple peers. You would use the netmask of 0.0.0.0. However, Cisco strongly recommends using a unique key for each peer. |
|
Note The pre-shared key must be configured at both the PIX Firewall and its peer, otherwise the policy cannot be used. |
|
Note Configure a pre-shared key associated with a given security gateway to be distinct from a wildcard, pre-shared key (pre-shared key plus a netmask of 0.0.0.0) used to identify and authenticate the remote VPN clients. |
To disable IKE, you will have to make these concessions at the peers:
To disable IKE, use the following command:
no crypto isakmp enable interface-name
For example:
no crypto isakmp enable outside
After you configure IKE, configure IPSec (with IKE). For IPSec with IKE configuration, see "Configuring IPSec with IKE" within "Configuring IPSec."
Posted: Thu Aug 31 19:44:03 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.