5 0 0 1 0 1zM15. Cisco Security Appliance Command Line Configuration Guide, Version 7. Book Title Cisco Security Crypto isakmp enable Command Line Configuration Guide, Version 7. IP network, such as the Internet, to create secure connections between remote users and a private corporate network.
Each secure connection is called a tunnel. The security appliance uses the ISAKMP and IPsec tunneling standards to build and manage tunnels. The security appliance functions as a bidirectional tunnel endpoint. It can receive plain packets from the private network, encapsulate them, create a tunnel, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination.
It can also receive encapsulated packets from the public network, unencapsulate them, and send them to their final destination on the private network. In IPsec terminology, a peer is a remote-access client or another secure gateway. During tunnel establishment, the two peers negotiate security associations that govern authentication, encryption, encapsulation, and key management. A LAN-to-LAN VPN connects networks in different geographic locations. In IPsec LAN-to-LAN connections, the security appliance can function as initiator or responder. In IPsec client-to-LAN connections, the security appliance functions only as responder.
To establish a connection, both entities must agree on the SAs. The security appliance IKE commands use ISAKMP as a keyword, which this guide echoes. ISAKMP works with IPsec to make VPNs more scalable. ISAKMP separates negotiation into two phases: Phase 1 and Phase 2.
Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data. An authentication method, to ensure the identity of the peers. An encryption method, to protect the data and ensure privacy.
A Diffie-Hellman group to determine the strength of the encryption-key-determination algorithm. The security appliance uses this algorithm to derive the encryption and hash keys. A limit to the time the security appliance uses an encryption key before replacing it. Table 27-1 provides information about the ISAKMP policy keywords and their values. Specifies the authentication method the security appliance uses to establish the identity of each IPsec peer. Preshared keys do not scale well with a growing network but are easier to set up in a small network.