Professional Documents
Culture Documents
Module 4: Configure Site-To-Site VPN Using Pre-Shared Keys: PDF Created With Pdffactory Trial Version
Module 4: Configure Site-To-Site VPN Using Pre-Shared Keys: PDF Created With Pdffactory Trial Version
10
11
12
• The router ping command can be used to test basic connectivity between
IPSec peers .
• While a successful ICMP echo, or ping, will verify basic connectivity between
peers, it should be verified that the network works with any other protocols or
ports that are to be encrypted, such as Telnet or FTP, before beginning IPSec
configuration.
13
15
• Step 2 (continue)–
Create IKE policies
• If no policies are
configured, the
router will use the
default policy, which
is always set to the
lowest priority, and
which contains the
default value of each
parameter.
• If a value for a
parameter is not
specified, the default
value is assigned.
19
20
• Step 2 (continue)–
Create IKE policies
• The ISAKMP identity
should be set for each
peer that uses pre-
shared keys in an IKE
policy .
• When 2 peers use IKE
to establish IPSec
security associations,
each peer sends its
identity to the remote
peer. Each peer sends
either its host name or
its IP address,
depending on how the
ISAKMP identity of the
router has been set up.
21
• Step 2 (continue)–
Create IKE policies
• By default, a peer's
ISAKMP identity is the IP
address of the peer. If
appropriate, the identity
could be changed to be
the peer's host name
instead .
• As a general rule, set the
identities of all peers the
same way. Either all peers
should use their IP
addresses or all peers
should use their host
names.
• If some peers use their
host names and some
peers use their IP
addresses to identify
themselves to each other,
IKE negotiations could fail
if the identity of a remote
peer is not recognized and
a DNS lookup is unable to
resolve the identity. 22
23
24
27
38
41
42
45
46
47
48
49
50
51
• Cisco IOS software can generate many useful system error messages for
ISAKMP . Two examples of error messages are shown below:
– %CRYPTO-6-IKMP_SA_NOT_AUTH: Cannot accept Quick Mode
exchange from %15i if SA is not authenticated!
The ISAKMP security association with the remote peer was not
authenticated yet the peer attempted to begin a Quick Mode exchange.
This exchange must only be done with an authenticated security
association. The recommended action is to contact the administrator of the
remote peer to resolve the improper configuration.
– %CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer %15i
responded with attribute [chars] not offered or changed
ISAKMP peers negotiate policy by the initiator offering a list of possible
alternate protection suites. The responder responded with an ISAKMP
policy that the initiator did not offer. The recommended action is to contact
the administrator of the remote peer to resolve the improper configuration.
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72