Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Cisco PIX VPN
- Thread starter stradiv
- Start date
The following config examples at cisco's website should be everything you need. If you have anymore questions just post back, I'll be more than happy to help you.
Overview of VPN config on PIX.
VPN’s (IPSec) are established using two phases:
PHASE 1
isakmp enable outside
isakmp key ******** address 192.168.1.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
Phase 1 is known as the authentication phase, hosts or clients must be authenticated before data can be encrypted/decrypted.
PHASE 2
Sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map toWorld 10 ipsec-isakmp
crypto map toWorld 10 match address 90
crypto map toWorld 10 set peer 192.168.1.1
crypto map toWorld 10 set transform-set strong
crypto map toWorld 10 set security-association lifetime seconds 10600 kilobytes 4608000
crypto map toWorld interface outside
PHASE2 is known as the encryption/decryption phase, these statements define how the data will be encrypted at one end and decrypted at the other, once hosts or clients have been authenticated.
Finally the whole process is triggered by an access-list defined within PHASE2, see statement: crypto map toWorld 10 match address 90.
Appart of the start-up config would be an access-list defined as access-list 90 (interesting traffic). This would control which outbound traffic to send through the VPN tunnel.
I hope this helps you.
StickyBit.
Overview of VPN config on PIX.
VPN’s (IPSec) are established using two phases:
PHASE 1
isakmp enable outside
isakmp key ******** address 192.168.1.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
Phase 1 is known as the authentication phase, hosts or clients must be authenticated before data can be encrypted/decrypted.
PHASE 2
Sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map toWorld 10 ipsec-isakmp
crypto map toWorld 10 match address 90
crypto map toWorld 10 set peer 192.168.1.1
crypto map toWorld 10 set transform-set strong
crypto map toWorld 10 set security-association lifetime seconds 10600 kilobytes 4608000
crypto map toWorld interface outside
PHASE2 is known as the encryption/decryption phase, these statements define how the data will be encrypted at one end and decrypted at the other, once hosts or clients have been authenticated.
Finally the whole process is triggered by an access-list defined within PHASE2, see statement: crypto map toWorld 10 match address 90.
Appart of the start-up config would be an access-list defined as access-list 90 (interesting traffic). This would control which outbound traffic to send through the VPN tunnel.
I hope this helps you.
StickyBit.
HI.
You can also use pixcript to create a sample basic VPN config, in ADDITION to reading documentation and samples:
Use this additional link to CISCO pix documentation:
Here are some commands that can help troubleshooting IPSEC at the pix side:
debug crypto engine - Display debug messages about crypto engines, which perform encryption and decryption.
debug crypto isakmp - Display messages about IKE events.
debug crypto ipsec - Display IPSec events.
show crypto isakmp sa - View all current IKE security associations (SAs) at a peer.
show crypto ipsec sa - View the settings used by current security associations.
clear crypto isakmp - (from configuration mode) Clear all active IKE connections.
clear crypto sa - (from configuration mode) Delete all IPSec security associations.
logging on
logging buffer 4
logging monitor 3
terminal monitor - view debug messages on a telnet session.
terminal no monitor - stop viewing debug messages.
Bye
Yizhar Hurwitz
You can also use pixcript to create a sample basic VPN config, in ADDITION to reading documentation and samples:
Use this additional link to CISCO pix documentation:
Here are some commands that can help troubleshooting IPSEC at the pix side:
debug crypto engine - Display debug messages about crypto engines, which perform encryption and decryption.
debug crypto isakmp - Display messages about IKE events.
debug crypto ipsec - Display IPSec events.
show crypto isakmp sa - View all current IKE security associations (SAs) at a peer.
show crypto ipsec sa - View the settings used by current security associations.
clear crypto isakmp - (from configuration mode) Clear all active IKE connections.
clear crypto sa - (from configuration mode) Delete all IPSec security associations.
logging on
logging buffer 4
logging monitor 3
terminal monitor - view debug messages on a telnet session.
terminal no monitor - stop viewing debug messages.
Bye
Yizhar Hurwitz
- Status
Similar threads
- Question