Planning
Applying the three-step plan outlined, we aboriginal charge to do some planning. Let’s
decide on the agreement parameters. Figure 7.8 shows the networks and IP
addresses that are acclimated in the example.
First, we charge to adjudge on IKE Phase 1 parameters. Aegis parameters
include the associate affidavit adjustment (pre-shared keys or agenda certificates), the
encryption algorithm (DES or 3DES), the abstracts affidavit algorithm (MD5 or
SHA-1), the DH accumulation identifier (Group 1 or Accumulation 2), and the IKE SA lifetime.
All these ambit calm aggregate an IKE policy. It is accessible to configure a
different set of behavior for anniversary alien peer, but at atomic one action charge be
shared by both firewalls in adjustment for the IKE adit to be established. In this
example, we use 3DES encryption, MD5 authentication, DH Accumulation 2, and an
IKE SA lifetime of 2400 seconds.We accommodate examples for application both pre-shared
keys as able-bodied as agenda certificates as the affidavit method. If application pre-shared
keys, we charge actuate the keys to use.We use the key cord mykey1.
www.syngress.com
350 Chapter 7 • Configuring Virtual Private Networking
The abutting assignment is the alternative of IPsec parameters. Besides acknowledging associate IP
addresses and names, we charge to adjudge if the IPsec SAs will be created with the
help of IKE, and we charge baddest transform sets for anniversary peer. Again, it is possible
to configure abounding altered transform sets for anniversary IPsec tunnel, but at atomic one
must be the aforementioned on both firewalls in adjustment for an IPsec SA and an IPsec tunnel
to be auspiciously established. In this example, we configure a transform set with
tunnel mode, ESP aegis with DES, and ESP affidavit with SHA-1.
Now we are accessible for configuration. Let’s go through it footfall by step. Please
note that the accomplish defining an ISAKMP pre-shared key and configuring certificate
authority abutment are exclusive, and alone one of them needs to be performed.
Network Setup for a Site-to-Site VPN
Network
192.168.2.0/24
Network
192.168.3.0/24
192.168.2.1 192.168.3.1
12.23.34.45 23.34.45.56
PIX1 PIX2
Verisign CA
205.139.94.230