Crypto Transform Set
tgpix(config)# isakmp policy 10 authentication pre-share
tgpix(config)# isakmp policy 10 encryption 3des
tgpix(config)# isakmp policy 10 group 2
tgpix(config)# isakmp policy 10 hash md5
tgpix(config)# isakmp policy 10 lifetime 86400
tgpix(config)# isakmp enable outside
Configuring the Security Appliance as a VPN Gateway 351
Step 3: Configuring IPSec Security Association Lifetimes
To preclude any opportunity to gather sufficient network traffic using a single encryption key,
it is important to limit the key lifetime. This forces a key exchange, changing the encryption
scheme and greatly reducing the possibility of cracking the key. Technology continues to
advance, producing computers that can break code at faster rates. However, these systems
require a certain amount of traffic encrypted under a single key. The idea is to change
encryption keys before any system can feasibly crack your encryption. The PIX enables you
to configure your SA lifetimes, forcing a key exchange. It is possible to limit the SA lifetime
either by the amount of traffic passing through the connection or by how long the encrypted
connection remains open. The command for configuring SA lifetimes is as follows:
crypto ipsec security-association lifetime [kilobytes | seconds]
Example 13-3 shows the current configuration, including an SA lifetime of 15 minutes (900
seconds).
Step 4: Configuring Crypto Maps
Just as the isakmp policy command configures the parameters for the IKE negotiations,
crypto map tells the PIX Firewall how to negotiate the IPSec SA. The crypto map command
is the final piece of the puzzle that is used on both peers to establish the SA. Again, it is
extremely important that the settings are compatible on both ends. If both peers do not have
a compatible configuration, they cannot establish the VPN connection. This does not mean
tgpix(config)# isakmp identity address
tgpix(config)# isakmp key abc123 address 192.168.2.1 netmask 255.255.255.255
tgpix(config)# access-list 90 permit ip 10.10.10.0 255.255.255.0 10.10.20.0
255.255.255.0
tgpix(config)# crypto ipsec transform-set strong esp-3des esp-md5-hmac