ipsec

csc010854800 · ‎10-01-2011

one of my client wants to establish IPsec tunnel with my office and he has provided tunnel properties in PHASE 1 and PHASE 2 .

can somebody provide me the sample config according to these properties.

PHASE 1 :

Authentication mode : Pre-shared key

Encryption scheme : IKE

DH group : Group 2

Encrytion Alogorithm : 3DES/AES-128,192,256

Hash Algorithm : MD5/SHA

Main or aggresive mode : main

lifetime : 86400/28800

PHASE 2 :

Encapsulation : ESP

Encryption algorithm : 3DES

Authentication mode : MD5/SHA

PFS with Algorithm : group 2

lifetime : 28800/3600

lifesize in KB : NA

what i didn't understand is why he has provided values two times. a little explanation will help.

smitesh kharecha · ‎10-01-2011

Hi,

Tunnel is formed of different proccess, called different phases while creating a tunnel.

Which are IPSec Authentication Header (AH), IPSec Encapsulating Security Payload (ESP) and the IPSec Internet Key Exchange (IKE).

You are provide with those information, as what to use in that particular phase.

And regarding configs, a little playing with router or google will provide you a sample config...

HTH,

Smitesh

Jon Marshall · ‎10-01-2011

Phase 1 with IPSEC is about setting up a secure connection to the remote device. It does not deal with setting up the actual tunnels used to transmit the data. The commands used to setup phase 1 are "isakmp ..." or "crypto isakmp .." commands depending on whether you are using a firewall like the pix/ASA or a router.

Phase 2 with IPSEC is then about setting up the actual tunnels for transmitting the data. This can only be done once a secure connection using Phase 1 has been done.

There is no requirement to use the same encryption algorithms etc. for each Phase ie. they can be different if you want.

For config examples see this link -

http://www.cisco.com/en/US/customer/tech/tk583/tk372/tech_configuration_examples_list.html

Jon