Selecting the Configuration
Selecting a standardized configuration is perhaps the most important step in creating a VPN.
You need to follow these steps when selecting your configuration:
Step 1 Determine which hosts will participate in this connection and which devices to
use as VPN gateways. The Cisco Security Appliance can create a VPN
connection to another PIX, VPN appliances, routers, other third- party firewalls
that support IPSec, and so on.
Step 2 Gather information about the peers and all hosts and networks that will
participate in this VPN.
Step 3 Select which phase 1 and phase 2 IKE policies to use based on the number and
location of the peers.
Step 4 Verify the current configuration of your Cisco Security Appliance to ensure that
you do not select any policies (such as access control lists [ACL], ISAKMP
policies, or crypto maps) that conflict with the current configuration:
• Ensure that you have connectivity with your peers. If you are unable
to connect with a peer in the clear, you will be unable to create an
encrypted connection.
• Ensure that perimeter devices, such as routers, are allowing the traffic
required to create and maintain the VPN connection. Most notable
are UDP port 500 (used for IKE negotiation), protocol 50 (ESP), and
protocol 51 (AH).
It is extremely important to ensure that VPN peers have configurations with matching
elements. If both peers are not configured to have compatible VPN components, they will be
unable to create the encrypted connection