Keeping Your Cisco VPN Secure - Page 4
Finally, permit IPSec packets into the network with the sysopt command.
sysopt connection permit-ipsecThe branch office PIX configuration is almost identical. The following section points out where it differs.
The branch office PIX has a different outside IP address.
ip address outside 172.30.1.2 255.255.255.252The access list must reflect the main office's IP addresses.
access-list 20 permit 10.1.1.0 255.255.255.0The peer is the outside IP address of the main office's PIX.
crypto map mymap 10 set peer 172.30.1.1The session keys for the branch office are configured in the opposite order of what is configured on the main office's PIX. The inbound key on one side of a connection must equal the outbound key on the opposite side of the connection. The inbound AH session key on the Branch office is equal to the outbound AH session key on the main office's PIX. The inbound AH session key must match the main office's outbound AH session key in order for the connection to be established. The inbound ESP session key matches the main office's inbound ESP session key and the outbound ESP session key matches the main office's inbound ESP session key:
crypto map mymap 10 set session-key inbound ah 300 bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb crypto map mymap 10 set session-key outbound ah 400 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa crypto map mymap 10 set session-key inbound esp 300 cipher dddddddddddddddddddddddddddddddd crypto map mymap 10 set session-key outbound esp 400 cipher cccccccccccccccccccccccccccccccc
Our next segment will conclude Chapter 4 of Cisco Secure Internet Security Solutions, and will cover an explanation and configuration of VPN with Preshared Keys, obtaining Certificate Authorities, and PIX-to-PIX configuration.