Configure the preshared key—You can configure the same preshared key for all
your SAs. This method is not recommended, however, because it is more secure
to specify a different key for each SA. To configure the preshared key, you need
to determine how the peers identify themselves. SA peers can identify themselves
by IP address or host name. It is recommended that you use the same method of
identification for all SAs. If you choose to identify the peers by host name, the
negotiations could fail if a Domain Name System (DNS) issue prevents the host
name from resolving correctly. Here is the command for configuring
identification:
isakmp identity (address | hostname)
Here is the command for configuring the preshared key:
isakmp key string address | peer-address [netmask mask]
To configure ISAKMP policies for both Cisco Security Appliances with
the ISAKMP identities and isakmp key commands added, use a
configuration similar to this:
LOCAL PIX FIREWALL>>>>>>>>>>>
tgpix(config)# isakmp policy 10 authentication pre-share
tgpix(config)# isakmp policy 10 encryption 3des
tgpix(config)# isakmp policy 10 group 2
tgpix(config)# isakmp policy 10 hash md5
tgpix(config)# isakmp policy 10 lifetime 86400
tgpix(config)# isakmp enable outside
tgpix(config)# isakmp identity address
tgpix(config)# isakmp key abc123 address 192.168.2.1 netmask
255.255.255.255
REMOTE PIX FIREWALL>>>>>>>>>>
gonderpix (config)# isakmp policy 10 authentication pre-share
gonderpix (config)# isakmp policy 10 encryption 3des
gonderpix (config)# isakmp policy 10 group 2
gonderpix (config)# isakmp policy 10 hash md5
gonderpix (config)# isakmp policy 10 lifetime 86400
gonderpix (config)# isakmp enable outside
gonderpix (config)# isakmp identity address
gonderpix (config)# isakmp key abc123 address 192.168.1.1 netmask
255.255.255.255