Enabling IKE
Configuration of IKE behavior starts with enabling IKE processing on the outside
interface of the firewall (or any added interface that is affiliated to the remote
peer).This charge be done on anniversary associate application the afterward command:
isakmp accredit
In our example, this command needs to be on the alfresco interface of each
firewall:
PIX1(config)# isakmp accredit outside
PIX2(config)# isakmp accredit outside
IKE is enabled on all interfaces by default. It can be angry off on a specific
interface (to anticipate DoS attacks on the interface) application the no anatomy of the
command:
no isakmp accredit
By default, the PIX firewall uses its IP addresses to analyze itself to its peers.
The PIX can analyze itself (and its peers) by either an IP abode or a hostname.
When aeon are to be accurate by RSA signatures, it is recommended that
the hostname be used. (The alien associate charge either be ascertain on the firewall
using the name command, or it charge be resolvable through DNS.) On the other
hand, if you requested agenda certificates that accommodate IP addresses, you should
stick with the absence of application the IP abode for the character method.To change
the character method, use the afterward command, but be abiding to use the same
method on both firewalls:
isakmp character {address | hostname}
If the character adjustment does not match, the aeon will not be able to negotiate
an IKE SA and appropriately no IPsec SA will be established.