MINIMUM SECURE configuration (baseline) -ipsec vpn
9 years 6 months ago #38657
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Firewall baseline configuration
Skylimit,
You're very much welcome.
Regarding your questions, the 'Crypto MAP' is necessary for the VPN to be created. If you do not use the 'Crypto MAP', you cannot create a VPN.
The 'Crypto ACL' is the access list that defines what traffic will be passed inside the VPN.
As you can understand, you first create the VPN using the 'Crypto MAP' command and then specify the traffic to be sent inside the VPN using the Crypto ACLs.
If you don't use the Crypto ACL, all traffic will then be sent via the Internet and dropped at the ISP. The same thing will occur if you do not use the Crypto MAP configuration parameter.
Things to check in an IP Sec VPN:
- The IPSEC Transformation set should use hee highest possible encryption (not shown in the example)
- Ensure the Crypto ACL defines on the necessary traffic to be tunneled to the other side
- Ensure you use different ISAKMP key for every remote router
- Ensure no one has access to the routers as they will be able to view all password keys etc.
- Configure the highst possible encryption for isakmp - phase one (encr, hash etc)
I can't think of anything else at the moment, but if someone would like to add something, please feel free to do so.
Please let me know if you require any additional clarification or information.
Many thanks,
Chris.
You're very much welcome.
Regarding your questions, the 'Crypto MAP' is necessary for the VPN to be created. If you do not use the 'Crypto MAP', you cannot create a VPN.
The 'Crypto ACL' is the access list that defines what traffic will be passed inside the VPN.
As you can understand, you first create the VPN using the 'Crypto MAP' command and then specify the traffic to be sent inside the VPN using the Crypto ACLs.
If you don't use the Crypto ACL, all traffic will then be sent via the Internet and dropped at the ISP. The same thing will occur if you do not use the Crypto MAP configuration parameter.
Things to check in an IP Sec VPN:
- The IPSEC Transformation set should use hee highest possible encryption (not shown in the example)
- Ensure the Crypto ACL defines on the necessary traffic to be tunneled to the other side
- Ensure you use different ISAKMP key for every remote router
- Ensure no one has access to the routers as they will be able to view all password keys etc.
- Configure the highst possible encryption for isakmp - phase one (encr, hash etc)
I can't think of anything else at the moment, but if someone would like to add something, please feel free to do so.
Please let me know if you require any additional clarification or information.
Many thanks,
Chris.
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Time to create page: 0.124 seconds