VPN with Preshared Keys
Using preshared keys is easy, once you understand the concepts presented in the previous example. The difference between this configuration and the previous one is that you are now relying on the Internet Security Association and Key Management Protocol (ISAKMP) for exchanging keys. This section presents the configuration before exploring how it has changed. The main office's configuration is as follows:
hostname chicago domain-name bigcompany.com isakmp enable outside isakmp policy 15 authentication pre-share isakmp policy 15 encr 3des crypto isakmp key isakmpkey address 172.30.1.2 crypto ipsec transform-set strong esp-sha-hmac esp-3des access-list myaccesslist permit ip 10.1.2.0 255.255.255.0 crypto map seattletraffic 29 ipsec-isakmp crypto map seattletraffic 29 match address myaccesslist crypto map seattletraffic 29 set transform-set strong crypto map seattletraffic 29 set peer 172.30.1.2 crypto map seattletraffic interface outside sysopt connection permit-ipsec
The branch PIX Firewall configuration looks like this:
hostname seattle domain-name bigcompany.com isakmp enable outside isakmp policy 21 authentication pre-share isakmp policy 21 encryption 3des crypto isakmp key isakmpkey address 172.30.1.1 crypto ipsec transform-set strong esp-3des esp-sha-hmac access-list chicagolist permit ip 10.1.1.0 255.255.255.0 crypto map chicagotraffic 31 ipsec-isakmp crypto map chicagotraffic 31 match address chicagolist crypto map chicagotraffic 31 set transform-set strong crypto map chicagotraffic 31 set peer 172.30.1.1 crypto map chicagotraffic interface outside sysopt connection permit-ipsec
isakmp Commands
Before explaining the example, review Table 4-8 concerning the isakmp commands. The isakmp commands are very similar in syntax to the vpdn commands. As with most commands, using the no form of the command removes the configuration.
| Command | Description |
|---|---|
| isakmp client configuration address-pool local localpoolname | This command assigns a VPN client an address from within the addresses set aside by the ip local pool command. |
| isakmp enable interfacename | This enables ISAKMP on the interface specified by the parameter interfacename. |
| isakmp identity address | hostname | This identifies the system for IKE participation. |
| isakmp key keystring address peer-address | The keystring specifies the preshared key. The peer-address specifies the IP address of the peer. |
| isakmp peer fqdn fqdn no-xauth no-config-mode | The fqdn (fully qualified domain name) is the full DNS name of the peer. This is used to identify a peer that is a security gateway.
The no-xauth option is to used if you enabled the Xauth feature and you have an IPSec peer that is a gateway. The no-config-mode option is used if you enabled the IKE Mode Configuration feature and you have an IPSec peer that is a security gateway. |
| isakmp policy priority authentication pre-share | rsa-sig | This sets the priority for the authentication and defines whether you are using pre-shared keys or RSA signatures. |
| isakmp policy priority group1 | group2 | group1 and group2 are optionally used to specify whether a 768-bit Diffie-Hillman prime modulus group (group1) or a 1024-bit Diffie-Hillman prime modulus group (group2) will be used on new exchanges. |
| isakmp policy priority hash md5 | sha | Specifies MD5 or SHA as the hash algorithm to be used in the IKE policy. |
| isakmp policy priority lifetime seconds | Specifies how many seconds each SA should exist before expiring. |
Explanation of VPN with Preshared Keys
Going back to the configuration, you can see that it is really quite simple to enable preshared keys. The following section will walk you through the configuration and explain what has been configured.
First, set the host name. The fully qualified domain name (FQDN) is set with the domain-name command.
hostname chicago domain-name bigcompany.com
Then set ISAKMP to the outside interface and define that you use preshared keys and 3DES encryption.
isakmp enable outside isakmp policy 15 authentication pre-share isakmp policy 15 encr 3des
The ISAKMP key, whose value is isakampkey, is set, along with the IP address of the outside interface of the peer. Then set transform-set to first use esp-sha-hmac and then esp-3des.
crypto isakmp key isakmpkey address 172.30.1.2 crypto ipsec transform-set strong esp-sha-hmac esp-3des
Define an access list for use with the crypto map command, setting the permitted IP addresses to match the remote site's IP address.
access-list myaccesslist permit ip 10.1.2.0 255.255.255.0
Next, map the traffic to be encrypted, set the peer, and set the interface.
crypto map seattletraffic 29 ipsec-isakmp crypto map seattletraffic 29 match address myaccesslist crypto map seattletraffic 29 set transform-set strong crypto map seattletraffic 29 set peer 172.30.1.2 crypto map seattletraffic interface outside
Finally, set the PIX to allow IPSec traffic through the interfaces.
sysopt connection permit-ipsec
The only real differences between the branch office and the main office configurations are that the peers are set to the other office's PIX outside interface, and the traffic to be encrypted is set to the other office's LAN.