Configuring Lan-To-Lan Ipsec Attributes - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 30
Configuring Connection Profiles, Group Policies, and Users
Specify the name of the default group policy:
Step 3
hostname(config-tunnel-general)# default-group-policy policyname
hostname(config-tunnel-general)#
For example, the following command specifies that the name of the default group policy is MyPolicy:
hostname(config-tunnel-general)# default-group-policy MyPolicy
hostname(config-tunnel-general)#
Configuring LAN-to-LAN IPSec Attributes
To configure the IPSec attributes, do the following steps:
To configure the tunnel-group IPSec attributes, enter tunnel-group ipsec-attributes configuration mode
Step 1
by entering the tunnel-group command with the IPSec-attributes keyword.
hostname(config)# tunnel-group tunnel-group-name ipsec-attributes
hostname(config-tunnel-ipsec)#
For example, the following command enters config-ipsec mode so you can configure the parameters for
the connection profile named TG1:
hostname(config)# tunnel-group TG1 ipsec-attributes
hostname(config-tunnel-ipsec)#
The prompt changes to indicate that you are now in tunnel-group ipsec-attributes configuration mode.
Specify the preshared key to support IKE connections based on preshared keys.
Step 2
hostname(config-tunnel-ipsec)# pre-shared-key key
hostname(config-tunnel-ipsec)#
For example, the following command specifies the preshared key XYZX to support IKE connections for
an IPSec LAN-to-LAN connection profile:
hostname(config-tunnel-ipsec)# pre-shared-key xyzx
hostname(config-tunnel-general)#
Specify whether to validate the identity of the peer using the peer's certificate:
Step 3
hostname(config-tunnel-ipsec)# peer-id-validate option
hostname(config-tunnel-ipsec)#
The available options are req (required), cert (if supported by certificate), and nocheck (do not check).
The default is req. For example, the following command sets the peer-id-validate option to nocheck:
hostname(config-tunnel-ipsec)# peer-id-validate nocheck
hostname(config-tunnel-ipsec)#
Specify whether to enable sending of a certificate chain. This action includes the root certificate and any
Step 4
subordinate CA certificates in the transmission:
hostname(config-tunnel-ipsec)# chain
hostname(config-tunnel-ipsec)#
You can apply this attribute to all tunnel-group types.
Specify the name of a trustpoint that identifies the certificate to be sent to the IKE peer:
Step 5
hostname(config-tunnel-ipsec)# trust-point trust-point-name
OL-12172-03
Cisco Security Appliance Command Line Configuration Guide
Configuring Connection Profiles
30-17
Advertisement
Table of Contents
Troubleshooting
