- Posts: 158
- Thank you received: 1
IPsec ISAKMP Policy and Crypto map config
13 years 11 hours ago #36753
by rizin
Known is a drop, unknown is an Ocean
Replied by rizin on topic Re: IPsec ISAKMP Policy and Crypto map config
Hi,
There is something called Phase 1 and Phase 2 in VPN Connections. I will write some few mothods which normally followed however it may or may not varies with other individual devices.
Phase 1.
1. Specify Local VPN Gateway and Remote VPN Gateway.
2. Main mode or Aggresive mode
A) Main mode peers exchange identies with encryption.
Aggresive mode exchange identities without encryption but faster.
3. Specify Nat-Traversal.
A) Specify Need peers to use IKE Keep-alive - ensures if VPN Gateways's interface not responding it will failover to the second interface. This is true when ISP goes down and your secondary interface is backed up.
4. Transform set.
A)here choose encryption, authentication and how long security association(SA) last.
b)for authentication use Sha1 OR MD5. Sha 1 is the strongest authentication.
c) Specify Diffie-hellman key group.
Phase 2.
Using Quick mode establish IPSec SA.
1. specify IP Address, Network Address or IP Address range. which access to your internal network. either from home or office to access resources behind the VPN Gateway.
2. Choose to use PFS (Perfect forward secrecy)
3. Select ESP or AH and plus you use Diffie-hellman key group also here.
4. Specify a value when the key expire.
For your encrytion you can select DES, 3DES or AES 128, 192, 256 bit key strength. AES is the strongest protocol.
Regards,
Rizin
There is something called Phase 1 and Phase 2 in VPN Connections. I will write some few mothods which normally followed however it may or may not varies with other individual devices.
Phase 1.
1. Specify Local VPN Gateway and Remote VPN Gateway.
2. Main mode or Aggresive mode
A) Main mode peers exchange identies with encryption.
Aggresive mode exchange identities without encryption but faster.3. Specify Nat-Traversal.
A) Specify Need peers to use IKE Keep-alive - ensures if VPN Gateways's interface not responding it will failover to the second interface. This is true when ISP goes down and your secondary interface is backed up.
4. Transform set.
A)here choose encryption, authentication and how long security association(SA) last.
b)for authentication use Sha1 OR MD5. Sha 1 is the strongest authentication.
c) Specify Diffie-hellman key group.
Phase 2.
Using Quick mode establish IPSec SA.
1. specify IP Address, Network Address or IP Address range. which access to your internal network. either from home or office to access resources behind the VPN Gateway.
2. Choose to use PFS (Perfect forward secrecy)
3. Select ESP or AH and plus you use Diffie-hellman key group also here.
4. Specify a value when the key expire.
For your encrytion you can select DES, 3DES or AES 128, 192, 256 bit key strength. AES is the strongest protocol.
Regards,
Rizin
Known is a drop, unknown is an Ocean
Time to create page: 0.140 seconds