This command creates an IKE process on the router. You
must have an IOS version that supports the IPSec feature set.
The priority number can be anything from 1 to 10,000, and 1
is the highest priority. As with other elements such as route
maps, the convention is to start with 10 and increment by 10
to allow for future changes. You are now in ISAKMP policy
configuration command mode.
hash md 5
This command specifies that you will use a preshared key
and the MD5 hash algorithm for packet authentication. It is
possible to configure a key dynamically using RSA public
key signatures, but that requires a certificate server and
other infrastructure.
group 2
This parameter is generally set to 2 to reflect the Diffie-
Hellman group number to use for key negotiation. Group 1
uses a 768-bit key exchange, and group 2 uses 1,024 bits. A
complete list of the group numbers and their related parameters
is available at
www.cisco.com/en/US/customer/
products/hw/vpndevc/ps2286/products_user_guide_
chapter09186a008015d00c.html
.
lifetime 3600
The
lifetime
parameter defines how long a security association
will last. It is defined in seconds and can range from
one minute to one day. A value of 3,600 seconds is equal
to one hour. Longer lifetimes might compromise security
but can reduce overhead.
crypto isakmp key tyler
address 10.1.1.1
This configuration command defines the key to be used and
the IP address of the far-end Ethernet segment that services
as the termination of the tunnel. In this instance, the key is
tyler and the IP address is 10.1.1.1. This key will be defined on
both routers, is case-sensitive, and can be up to 128 characters
long. Security can be enhanced by using longer keys
with alphanumeric characters.
crypto IPSec transform-set
tunnel-A ah-md5-hmac esp-des
This command defines the transforms that will be used. This
command defines AH (MD5) and ESP (56-des), but other
combinations might include specifying triple DES or LZS
compression. Depending on the choices selected, the administrator
can select up to three transforms. IOS will prevent
incompatible values.
crypto map map-A localaddress
Ethernet0
Here we define a crypto-map called map-A. It is bound to
the Ethernet 0 interface; recall that we are going to create a
tunnel from one Ethernet interface to another.
crypto map map-A 10 ipsecisakmp
This command enters crypto-map configuration mode with a
map numbered 10. Again, this is a definable value.
set peer 10.1.1.1
Here we set the peer by again defining the IP address of the
remote. This is for the map and not the key, but it would be
nice if Cisco would simplify this relationship.
set transform-set tunnel-A
This command links the map to the transform set previously
defined.
match address 110
This defines the ACL to be used in determining what traffic is
encrypted. Please note that ACLs 100 through 102 are reserved
for use by the DOCSIS configuration file and should not be
used with cable modems.
interface Ethernet0
This selects the Ethernet interface.
ip address 10.1.2.1
255.255.255.0
This defines the local IP address of 10.1.2.1/24.
interface cable-modem0
This selects the cable modem interface.
crypto map map-A
This defines that crypto-map map-A is to be used.
access-list 110 permit ip
10.1.2.0 0.0.0.255 10.1.1.0
0.0.0.255
This defines access list 110, which was assigned to
tunnel-A. This defines that all traffic destined for 10.1.1/24
from 10.1.2/24 should be encrypted. Remember that this
uses wildcard mask rules.
That’s it. Of course, a real configuration would also need routing and other parameters to
be defined. The cable modem would also require an IP address. The opposing router would
require a comparable configuration as well to establish the tunnel.