VPN With Pre-Shared Keys - Page 2

 By Cisco Press
Page 2 of 6   |  Back to Page 1
Print Article

Explanation of VPN with Preshared Keys
Going back to the configuration, you can see that it is really quite simple to enable preshared keys. The following section will walk you through the configuration and explain what has been configured.

First, set the host name. The fully qualified domain name (FQDN) is set with the domain-name command.

 hostname chicago
 domain-name bigcompany.com
Then set ISAKMP to the outside interface and define that you use preshared keys and 3DES encryption.
 isakmp enable outside
 isakmp policy 15 authentication pre-share
 isakmp policy 15 encr 3des
The ISAKMP key, whose value is isakampkey, is set, along with the IP address of the outside interface of the peer. Then set transform-set to first use esp-sha-hmac and then esp-3des.
 crypto ipsec transform-set strong esp-sha-hmac esp-3des
Define an access list for use with the crypto map command, setting the permitted IP addresses to match the remote site's IP address.
 access-list myaccesslist permit ip
Next, map the traffic to be encrypted, set the peer, and set the interface.
 crypto map seattletraffic 29 ipsec-isakmp
 crypto map seattletraffic 29 match address myaccesslist
 crypto map seattletraffic 29 set transform-set strong
 crypto map seattletraffic 29 set peer
 crypto map seattletraffic interface outside
Finally, set the PIX to allow IPSec traffic through the interfaces.
 sysopt connection permit-ipsec
The only real differences between the branch office and the main office configurations are that the peers are set to the other office's PIX outside interface, and the traffic to be encrypted is set to the other office's LAN.

This article was originally published on Oct 30, 2001
Get the Latest Scoop with Networking Update Newsletter