Creating an ISAKMP Aegis Suite

Creating an ISAKMP Aegis Suite

The abutting footfall is to configure IKE action parameters.The PIX can accept many

IKE behavior (also accustomed as ISAKMP aegis suites), which are acclaimed by

their antecedence (an accumulation from 1 to 65,534).The abate this number, the higher

the policy’s priority.The IKE action ambit amid aeon charge match

exactly.A action with the aboriginal cardinal is attempted first, and again if it is not

accepted by the alien peer, the abutting is attempted.This action continues until

www.syngress.com

Configuring Virtual Private Networking • Chapter 7 353

one of the behavior is accustomed by the added associate or the action account is exhausted

and IKE enactment fails.To actualize a policy, use the afterward commands:

isakmp action affidavit {pre-share | rsa-sig}

isakmp action encryption {des | 3des}

isakmp action assortment {md5 | sha}

isakmp action accumulation {1 | 2}

isakmp action lifetime

These commands specify (in order) the encryption algorithm to be used, the

data affidavit algorithm, the associate affidavit method, the Diffie-

Hellman accumulation identifier, and the IKE SA lifetime in seconds.The lifetime can

be any cardinal of abnormal amid 2 and 3600.

According to our plan, we will configure the afterward on both firewalls

using a antecedence of 10:

isakmp action 10 encryption 3des

isakmp action 10 assortment md5

isakmp action 10 accumulation 2

isakmp action 10 lifetime 2400

If any of these ambit is not specified, the absence amount is used.The

default ethics for anniversary of these ambit are des for encryption, md5 for data

authentication, 1 for DH group, and 3600 for IKE SA lifetime. Of course, we

must additionally specify the associate affidavit method. If you are application pre-shared

keys, use the afterward command:

isakmp action 10 affidavit pre-share

If you are application agenda certificates, use the afterward command (although it is

the absence and does not absolutely charge to be specified).

isakmp action 10 affidavit rsa-sig

To verify the agreement of IKE policies, use the appearance isakmp action command.

If you’re application pre-shared keys, the achievement should be as follows:

PIX1# appearance isakmp policy

Protection apartment of antecedence 10

encryption algorithm: Three key amateur DES

hash algorithm: Message Digest 5

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

www.syngress.com

354 Chapter 7 • Configuring Virtual Private Networking

lifetime: 2400 seconds, no aggregate limit

Default aegis suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Assortment Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no aggregate limit

As you can see here, there is additionally a absence IKE policy.Although it cannot be

seen in the achievement of the command, this absence action has a antecedence of 65,535. If

the configured ISAKMP behavior do not bout a angle by the alien peer,

the firewall tries this absence policy. If the absence action additionally does not match,

ISAKMP agreement fails.