Hi Jon,

Thanks for your reply.

As mentioned by you that the pre-share key is used to set up the connection between the 2 peers i.e either site-to site or remote access vpns.

This is done during  the phase 1.

After this phase 2 is involved for data transfer.

Can u explain wht u meant by this.Note this is not the key you enter when configuring the VPN).

And also the below commands in detials if possible.

crypto ipsec transform-set testset esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set testset
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200

What i understand by  the above command is.

crypto isakmp enable outside===we are enabling IKE on outside interface.

Regards.

Mahmood

When you configure a VPN you usually enter a secret key (if you are not using certificates). This key is used to setup the secure connection in phase 1 and to then to derive a shared key for the actual transmitting of the data.

When the encryption and decryption by both sides is done using the same key, this is called symmetric encryption. This is in contrast to asymmetric encryption which involves 2 keys, a public and a private key. Asymmetric encryption allows you to securely set up a connection or exchange data without having to have both keys eg.

the public key is available to anyone

the private key is known only to you

the keys are linked ie. if you encrypt with the public key only the private key for that public key can decrypt the data.

if i wanted to send an encrypted message to you then i would get your public key, which is freely available, and encrypt the data with your public key. Now only you can decrypt the data because only you have the corresponding private key.

if i wanted to digitally sign a message i sent to you i would sign it with my private key. On receiving the message you would use my public key to verify the signature because only i could have used my private key to sign the message.

the above is in essence how certificates work.

Asymmetric encryption is great but it is computationally very intensive. To encrypt/decrypt a large amount of data it is not efficient. So for this you use a symmetric key ie. a single key, which is the same at both ends. But obviously the catch 22 is how do you share this key between the endpoints without it being compromised.

The solution is to use asymmetric encryption to initially build a secure connection and then exchange a symmetric key. Once both ends have the same symmetric key then they can use this for actually encrypting/decrypting the data.

You are correct in what you say that crypto iskamp enable command is used to tell the device where (which interface) to accept ISPEC connection on.

As for the other commands -

both phase 1 and 2 allow you to specify the authentication algorithm (md5, sha-1 etc.) and the actual encryption algorithm (des/3DES/AES) plus lifetimes of the tunnels etc. In your example below you also have a dynamic map entry in your crypto map which usually is for -

1) client connections

2) connections for site-to-site VPNs where the remote peer does not have a static IP address ie. it is obtained via DHCP.

Using a dynamic map is less secure because you must share your key among multiple clients. With site-to-site VPN's it is usual to have an entry for each peer with a key tied to the IP address of the remote peer. Again, just to emphasise, this is the key used in phase 1 and not the symmetric key used to actually encrypt the data.

Jon

Hi Jon,

Thanks for the reply.

I am facing a issue while configuring VPN as one of the clients.

The ASA is 5510 and it base license.

I am not able to enter the command tunnel-protocol ipsec and evn it doesnt supports 3des.is the remote access vpn possible with this config please confrim.

Thanks