VPN With Pre-Shared Keys - Page 2
Explanation of VPN with Preshared Keys
Going back to the configuration, you can see that it is really quite simple to enable preshared keys. The following section will walk you through the configuration and explain what has been configured.
First, set the host name. The fully qualified domain name (FQDN) is set with the domain-name command.
hostname chicago domain-name bigcompany.comThen set ISAKMP to the outside interface and define that you use preshared keys and 3DES encryption.
isakmp enable outside isakmp policy 15 authentication pre-share isakmp policy 15 encr 3desThe ISAKMP key, whose value is isakampkey, is set, along with the IP address of the outside interface of the peer. Then set transform-set to first use esp-sha-hmac and then esp-3des.
crypto ipsec transform-set strong esp-sha-hmac esp-3desDefine an access list for use with the crypto map command, setting the permitted IP addresses to match the remote site's IP address.
access-list myaccesslist permit ip 10.1.2.0 255.255.255.0Next, map the traffic to be encrypted, set the peer, and set the interface.
crypto map seattletraffic 29 ipsec-isakmp crypto map seattletraffic 29 match address myaccesslist crypto map seattletraffic 29 set transform-set strong crypto map seattletraffic 29 set peer 172.30.1.2 crypto map seattletraffic interface outsideFinally, set the PIX to allow IPSec traffic through the interfaces.
sysopt connection permit-ipsecThe only real differences between the branch office and the main office configurations are that the peers are set to the other office's PIX outside interface, and the traffic to be encrypted is set to the other office's LAN.