IPSec operates in two steps. Using either manually configured keys or Internet Key Exchange IKE —which I will discuss next—step one handles the negotiation of security information between client and host.
Once the negotiation is complete, step two uses this negotiated security information to begin passing data. The second step is the negotiation of parameters between client and host. You can negotiate the parameters manually or via IKE. IKE is an automated method that allows for additional features such as dynamic authentication. Under IKE, keys can change in midsession. Other than that, this is a complete configuration for a fully functional Cisco PIX-based VPN, which allows remote clients to access services on the network behind the firewall.
These addresses will be used for VPN clients. A transform set specifies one or both of the IPSec security protocols, as well as the algorithm to use for them. My configuration uses esp-des, which is a bit encrypted security protocol, and esp-md5-hmac, which uses the MD5 hashing scheme for encoding.
These transform sets come into play during client negotiation to determine what protocol the PIX will use to protect the VPN traffic. Getting current If you have a new PIX, you should check the version of the management software installed on it using the version command at the command prompt. As of this writing, the most current PIX software image available is 6.
The files are named pix Connect via HyperTerminal to make sure the serial link is still working. Reboot the PIX by either power cycling it or issuing a reboot command at the command line. When a message appears indicating that the configuration is about to load from flash, press [Esc] to put the PIX into monitor mode.
The access list on the opposite PIX configuration mirrors this access list. This is appropriate for PIX The IPSec transform set defines the security policy that the peers use to protect the data flow. A unique name must be chosen for the transform set and up to three transforms can be selected to define the IPSec security protocols. This configuration only uses two transforms: esp-hmac-md5 and esp-des. You must assign a map name and a sequence number to create a crypto map.
Then you define the crypto map parameters. The crypto map transam displayed uses IKE to establish IPSec SAs, encrypts anything that matches access-list , has a set peer, and uses the chevelle transform-set to enact its security policy for traffic. After you define the crypto map, apply the crypto map to an interface.
The interface you choose must be the IPSec terminating interface. Thus, all traffic that matches the access-list command statements is exempt from the NAT services.
This sample configuration shows two different versions of VPN Clients that connect and encrypt traffic with the PIX as the tunnel endpoint. This sample configuration assumes that the PIX already operates with appropriate statics, conduits, or access lists.
The information in this document was created from the devices in a specific lab environment.
0コメント