Creating an ISAKMP Aegis Suite
The abutting footfall is to configure IKE action parameters.The PIX can accept many
IKE behavior (also accustomed as ISAKMP aegis suites), which are acclaimed by
their antecedence (an accumulation from 1 to 65,534).The abate this number, the higher
the policy’s priority.The IKE action ambit amid aeon charge match
exactly.A action with the aboriginal cardinal is attempted first, and again if it is not
accepted by the alien peer, the abutting is attempted.This action continues until
www.syngress.com
Configuring Virtual Private Networking • Chapter 7 353
one of the behavior is accustomed by the added associate or the action account is exhausted
and IKE enactment fails.To actualize a policy, use the afterward commands:
isakmp action
isakmp action
isakmp action
isakmp action
isakmp action
These commands specify (in order) the encryption algorithm to be used, the
data affidavit algorithm, the associate affidavit method, the Diffie-
Hellman accumulation identifier, and the IKE SA lifetime in seconds.The lifetime can
be any cardinal of abnormal amid 2 and 3600.
According to our plan, we will configure the afterward on both firewalls
using a antecedence of 10:
isakmp action 10 encryption 3des
isakmp action 10 assortment md5
isakmp action 10 accumulation 2
isakmp action 10 lifetime 2400
If any of these ambit is not specified, the absence amount is used.The
default ethics for anniversary of these ambit are des for encryption, md5 for data
authentication, 1 for DH group, and 3600 for IKE SA lifetime. Of course, we
must additionally specify the associate affidavit method. If you are application pre-shared
keys, use the afterward command:
isakmp action 10 affidavit pre-share
If you are application agenda certificates, use the afterward command (although it is
the absence and does not absolutely charge to be specified).
isakmp action 10 affidavit rsa-sig
To verify the agreement of IKE policies, use the appearance isakmp action command.
If you’re application pre-shared keys, the achievement should be as follows:
PIX1# appearance isakmp policy
Protection apartment of antecedence 10
encryption algorithm: Three key amateur DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
www.syngress.com
354 Chapter 7 • Configuring Virtual Private Networking
lifetime: 2400 seconds, no aggregate limit
Default aegis suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Assortment Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no aggregate limit
As you can see here, there is additionally a absence IKE policy.Although it cannot be
seen in the achievement of the command, this absence action has a antecedence of 65,535. If
the configured ISAKMP behavior do not bout a angle by the alien peer,
the firewall tries this absence policy. If the absence action additionally does not match,
ISAKMP agreement fails.