dcsimg

Keeping Your Cisco VPN Secure - Page 4

 By Cisco Press
Page 4 of 4   |  Back to Page 1
Print Article

Finally, permit IPSec packets into the network with the sysopt command.

 sysopt connection permit-ipsec
The branch office PIX configuration is almost identical. The following section points out where it differs.

The branch office PIX has a different outside IP address.

 ip address outside 172.30.1.2 255.255.255.252
The access list must reflect the main office's IP addresses.
 access-list 20 permit 10.1.1.0 255.255.255.0
The peer is the outside IP address of the main office's PIX.
 crypto map mymap 10 set peer 172.30.1.1
The session keys for the branch office are configured in the opposite order of what is configured on the main office's PIX. The inbound key on one side of a connection must equal the outbound key on the opposite side of the connection. The inbound AH session key on the Branch office is equal to the outbound AH session key on the main office's PIX. The inbound AH session key must match the main office's outbound AH session key in order for the connection to be established. The inbound ESP session key matches the main office's inbound ESP session key and the outbound ESP session key matches the main office's inbound ESP session key:
 crypto map mymap 10 set session-key inbound ah 300
     bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
 crypto map mymap 10 set session-key outbound ah 400
     aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 crypto map mymap 10 set session-key inbound esp 300 cipher
     dddddddddddddddddddddddddddddddd
 crypto map mymap 10 set session-key outbound esp 400 cipher
     cccccccccccccccccccccccccccccccc

Cisco Secure Internet Security Solutions -- Click to go to publisher's site --
Our next segment will conclude Chapter 4 of Cisco Secure Internet Security Solutions, and will cover an explanation and configuration of VPN with Preshared Keys, obtaining Certificate Authorities, and PIX-to-PIX configuration.

This article was originally published on Oct 23, 2001
Get the Latest Scoop with Networking Update Newsletter