Cisco Catalyst 6500 Series Configuration Manual page 214
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Allowing a VPN Management Connection
To set the Diffie-Hellman group used for key exchange, enter the following command:
Step 2
FWSM/contexta(config)# isakmp policy priority group {1 | 2}
Group 1 is 768 bits, and Group 2 is 1024 bits (and therefore more secure).
To set the authentication algorithm, enter the following command:
Step 3
FWSM/contexta(config)# isakmp policy priority hash {md5 | sha}
The sha keyword is more secure than md5.
To set the IKE authentication method as a shared key, enter the following command:
Step 4
FWSM/contexta(config)# isakmp policy priority authentication pre-share
You can alternatively use certificates instead of a shared key by specifying the rsa-sig option. See the
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command
Reference for more information about this method.
Step 5
To enable IKE on the tunnel interface, enter the following command:
FWSM/contexta(config)# isakmp enable interface_name
To set the authentication and encryption methods used for IPSec tunnels in a transform set, enter the
Step 6
following command:
FWSM/contexta(config)# crypto ipsec transform-set transform_name {[ah-md5-hmac |
ah-sha-hmac] | [esp-md5-hmac | esp-sha-hmac]} {esp-des | esp-3des}
You refer to this transform set when you configure the VPN client group or a site-to-site tunnel.
You can refer to up to 6 transform sets for the tunnel, and the sets are checked in order until the
transforms match.
The authentication and encryption algorithms of this transform typically match the IKE policy
(isakmp policy commands). For site-to-site tunnels, this transform must match the peer transform.
Typically, you need to specify one authentication option and one encryption option.
Authentication options include the following (from most secure to least secure):
•
ah-sha-hmac
ah-md5-hmac
•
esp-sha-hmac
•
esp-md5-hmac
•
Encryption options include the following (from most secure to least secure):
esp-3des
•
esp-des
•
Note
Although you can specify authentication alone, or encryption alone, these methods are not secure. You
can also specify two authentication options, but this method does not increase security and also slows
down the FWSM because each packet is authenticated two times.
For example, to configure the IKE policy and the IPSec transform sets, enter the following commands:
FWSM/contexta(config)# isakmp policy 1 authentication pre-share
FWSM/contexta(config)# isakmp policy 1 encryption 3des
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
11-6
esp-null (no encryption) is for testing purposes only.
Chapter 11
Allowing Remote Management
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
Related Manuals for Cisco Catalyst 6500 Series
Related Products for Cisco Catalyst 6500 Series
- Cisco 6503 - Catalyst Firewall Security Sys
- Cisco 6503-E - Catalyst Chassis With Supervisor Engine 32 Switch
- Cisco 6504-E - Catalyst Chassis With Supervisor Engine 32 Switch
- Cisco 6506 - Catalyst Chassis Switch
- Cisco 6513 - Catalyst Switch
- Cisco Catalyst 6509
- Cisco Catalyst 6513-E
- Cisco Catalyst 6500-E Series