|
|
This section contains the following topics covering the necessary configuration of the Policy Enforcement Points for implementing IPSec:
From the IPSec panel, you can identify the strongest DES cipher that the selected node supports.
Cisco Secure Policy Manager uses this information to perform consistency checks that validate that all peers in IPSec Tunnel Group definitions based on IPSec Tunnel Templates that require specific ciphers can support those ciphers.
To specify the strongest DES cipher that this node can support, perform the following task:
Result: The IPsec panel appears in the View pane.
Step 2 To specify which DES cipher is supported by this node, click that cipher in the list of ciphers in the DES Cipher Support box.
Two types of DES ciphers are available, depending on the type of software that is running on the selected node:
Step 3 To accept your changes and close the selected panel, click OK.
Step 4 To save any changes that you have made, click Save on the File menu.
From the IPSec panel, you can specify a pre-shared secret that is used to perform IKE negotiations between the selected node and its IPSec Tunnel Group peers.
Cisco Secure Policy Manager uses this secret to generate the device-specific commands that enable these pre-shared secrets on this node and its peers. You only need to specify this secret in this panel, because it is propagated to the IPSec panels for the specified peers. In other words, you only have to specify a shared secret on one of the two peer nodes.
To specify the secrets to share between this node and its peers, perform the following task:
Result: The IPsec panel appears in the View pane.
Step 2 To specify the peer for which you want to define a pre-shared secret between the selected node and that peer, click that peer in the list of available peers in the Tunnel Peers box.
Result: The Secret shared with peer label displays the name of the selected peer.
This list contains only those gateway objects and Cisco Secure Policy Manager hosts defined under the Network Topology tree that have the IPSec Support option selected in the General panel.
Step 3 To specify the secret to share between this node and the peer selected in the Tunnel Peers box, type that secret in the Secret shared with peer box.
This secret identifies a valid secret that can be used by IKE to set up an IPSec tunnel between this node and the selected peer. The minimum length for this secret value is 8 characters and the maximum length is 128 alphanumeric characters. You cannot use Tab, Enter, spaces, question marks, or double quotes when defining this shared secret.
Step 4 For each peer for which you want to define a pre-shared secret, repeat Step 2 and Step 3.
Step 5 To accept your changes and close the selected panel, click OK.
Step 6 To save any changes that you have made, click Save on the File menu.
To generate a new command set that includes the pre-shared secrets required by each peer, you must perform a Save and Update operation. Refer to "IPSec Tunnel Policy" for more information on performing this operation.
From the IPSec panel, you can identify that you want the selected node to be able to communicate with a certificate authority server that is defined under the Network Topology tree. Certificate authority servers use HTTP as the protocol for renewing and validating certificates. They manage data about when the certificates managed by the server expire and the rules for automatically refreshing or issuing new certificates to the network objects that are subscribers to that certificate authority. In addition, certificate authority servers provide support for certificate revocation lists (CRLs), which enable you to specify that certain certificates should not be trusted.
 |
Tips Cisco Secure Policy Manager automatically creates and applies a security policy that permits HTTP traffic to pass between this node and the specified certificate authority server. |
To specify the certificate authority server to use for this node, perform the following task:
Result: The IPsec panel appears in the View pane.
Step 2 To specify which certificate authority server to use with this node, click that server in the list of certificate authority servers in the Trusted Certificate Authority Server box.
This value identifies a host defined in the Network Topology tree that has been configured to identify a certificate authority server by adding the Certificate Authority client-server product type to that host.
Step 3 To accept your changes and close the selected panel, click OK.
Step 4 To save any changes that you have made, click Save on the File menu.
From the IPSec panel, you can discover specific information about any certificates that are installed on a managed Policy Enforcement Point that has the IPSec Support option selected in the General panel for that Policy Enforcement Point node.
To discover the certificate information, perform the following task:
Result: The IPsec panel appears in the View pane.
Step 2 To specify that you want to discover information about the certificates used by this node, click Discover.
Result: The Discovery dialog box appears with the IPSec box selected under the Discovery Selections box.
Step 3 To discover the certificate information and other IPSec settings for this node, click Discover.
Result: The Discovery Status box displays the status of the device discovery, including the time remaining before the discovery process aborts its discover attempt. When this process is complete, a message stating "Configuration completed. The configuration attempt was successful" appears. In addition, the Results button appears, which provides information about the discovery. Specifically, the Discovery Results dialog box should display the following messages:
Step 4 To close the Discovery dialog box, click OK.
Result: The IPSec panel now displays information about each certificate that was discovered. This information is organized on separate subtabs (below the Trusted Certificate Authority box) for each certificate that is discovered.
Step 5 To accept your changes and close the selected panel, click OK.
Step 6 To save any changes that you have made, click Save on the File menu.
After using the Enforcement panel to configure the Policy Enforcement Point to use IPSec communication between the Policy Distribution Point and Policy Enforcement Point, you need to manually enter the IPSec commands into the Policy Enforcement Point before you can publish the command sets to that Policy Enforcement Point. Cisco Secure Policy Manager generates the required commands for the Policy Enforcement Point, but it does not automatically distribute them to the Policy Enforcement Point because the shared secret would be sent in clear text. The bootstrap commands are available in the Commands/Messages box in the Command panel associated with the Policy Enforcement Point.
 |
Note When Cisco Secure Policy Manager detects an IPSec tunnel with a sequence number of 1, it assumes that it is the bootstrap tunnel. The IPSec tunnel generated by this procedure will be given a sequence number of 1. If you choose to enter your own IPSec crypto map commands to create the tunnel instead of using the generated commands, the tunnel must be given a sequence number of 1. Non-bootstrap tunnels created by Cisco Secure Policy Manager start at sequence number 5. If you manually define non-bootstrap IPSec tunnels, either on the Policy Enforcement Point or through Cisco Secure Policy Manager's prologue/epilogue commands, make sure that you do not assign any of them sequence number 1. Failure to observe this numbering restriction can result in a loss of communication between the Policy Distribution Point and the Policy Enforcement Point. |
To bootstrap a Policy Enforcement Point, perform the following task:
Step 2 To view the Command panel, point to Properties, and then click Command on the shortcut menu.
Result: The Command panel appears in the View pane.
Step 3 To view the generated commands, click Pending Commands in the Command Review/Edit box.
Result: The list of commands that have been generated but not yet published to the selected Policy Enforcement Point appears in the Commands/Messages box.
Step 4 To find the IPSec bootstrap commands, scroll down the Commands/Messages box until you see the "IPSec bootstrap configuration" heading.
Step 5 Copy the list of commands that appears after the IPSec bootstrap configuration heading and paste it into a text file. On a console running Windows 95 or Windows NT, you can use Notepad. On a UNIX workstation, you can use vi.
|
Note If no commands appear after the IPSec bootstrap configuration heading, click Save and Update on the File menu or toolbar and verify that the policy generation processing has completed with no errors. To verify the policy generation, click Consistency Check on the Tools menu. If the commands still do not appear, make sure you selected an IPSec template in the Use secure IPSec with template field of the Policy Distribution Point box in the Enforcement panel. |
Step 6 Delete the exclamation point (!) from the beginning of each line.
|
Tips You can use the search and replace function of your text editor, if available, to quickly remove all exclamation points. |
Result: The command set is ready to be entered into the Policy Enforcement Point. If you will be accessing the Policy Enforcement Point from a workstation other than the one the GUI client is installed on, you will need to save to a location that is accessible from your point of access to the Policy Enforcement Point, such as a diskette or FTP server.
Step 7 Use a terminal console or Telnet session to access the Policy Enforcement Point. We recommend that you enter the bootstrap configuration information from a console terminal, because any information sent via Telnet is sent in clear text.
Step 8 Enter the configuration mode of the Policy Enforcement Point.
To enter configuration mode on a PIX Firewall or IOS Router with Firewall Feature Set:
a. At the EXEC mode prompt, type enable and press Enter.
b. To enter the global configuration mode, type config t and press Enter.
Step 9 To enter the configuration commands, copy the commands from the text file and paste them into your terminal or Telnet session. Do not paste the IPSec bootstrap configuration heading or the dashed lines that appear above and below the heading.
Result: The commands are entered, line by line, into the Policy Enforcement Point. The command set automatically places the Policy Enforcement Point into the proper configuration mode for each command being entered.
Step 10 Label and save the configuration file. If you ever need to revert back to standard communication between the Policy Distribution Point and the Policy Enforcement Point, you will need to manually issue the "no" version of the commands to remove the IPSec settings from the Policy Distribution Point.
Posted: Tue May 30 08:35:12 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.