Configuring IPSec Encryption with a shared key in the Cisco PIX Firewall involves four key tasks:
1. Preparing for IPSec
Preparing for IPSec involves determining detailed encryption policies, including determining the host and network we want to protect, and selecting an authentication method to determine detailed information about the IPSec peer, determine the IPSec features we need, and confirm that the existing access control list allows the IPSec data stream to pass;
1: determine an IKE (IKE Phase 1, or master mode) policy between the IPSec peer based on the number and location of the peer;
2: Determine the IPSec (IKE Phase 2, or express mode) policy, including the details of the IPSec peer, such as IP address and IPSec conversion set and mode;
3: run the "write terminal", "show isakmp", "show isakmp policy", "show crypto map", and other "show" commands to check the current configuration;
4: confirm that the network works properly before encryption is used. Run the ping command and run the test data stream before encryption to eliminate basic route faults;
5: Check whether the existing access control list in the VBR and the PIX Firewall allows the IPSec data flow to pass, or the desired data flow can be filtered out.
Ii. Configure IKE
Configuring IKE involves enabling IKE (which is synonymous with isakmp), creating an IKE policy, and verifying our configuration;
1: use the "isakmp enable" command to enable or disable IKE;
2: run the "isakmp policy" command to create an IKE policy;
3: Use the "isakmp key" command and related commands to configure the pre-shared key;
4: run the "show isakmp [policy]" command to verify the IKE configuration.
3. Configure IPSec
IPSec configuration includes creating an access control list for encryption, defining a conversion set, creating an encryption graph entry, and applying the encryption set to the interface;
1: Use the access-list command to configure the access control list for encryption;
For example:
Access-list acl-name {permit | deny} protocol src_addr src_mask [operator port [port] dest_addr dest_mask [operator prot [port]
2: Use the crypto ipsec transform-set command to configure the conversion set;
For example:
Crypto ipsec transform-set-name transform1 [transform2 [transform3]
3: (optional) use the crypto ipsec security-association lifetime command to configure the lifetime of the global IPSec security association;
4: Use the crypto map command to configure the encryption graph;
5: Use the interface command and crypto map-name interface to apply the interface;
6: use various available show commands to verify the IPSec configuration.