Configuring Basic Settings For All Tunnels - Cisco 7604 Configuration Manual

Chapter 23 Configuring Management Access
The FWSM can support five concurrent IPSec connections, with a maximum of ten concurrent
connections divided among all contexts. You can control the number of IPSec sessions allowed per
context using resource classes. (See the
This section describes the following topics:
•
•
•

Configuring Basic Settings for All Tunnels

The following steps are required for both VPN client access and for site-to-site tunnels, and include
setting the IKE policy (IKE is part of the ISAKMP) and the IPSec transforms.
To configure basic settings for all tunnels, perform the following steps:
To set the IKE encryption algorithm, enter the following command:
Step 1
hostname(config)# isakmp policy priority encryption {des | 3des}
The 3des keyword is more secure than des.
You can have multiple IKE policies. The FWSM tries each policy in order of the priority until the policy
matches the peer policy. The priority can be an integer from 1 to 65,534, with 1 being the highest priority
and 65,534 the lowest. Use this same priority number for the following isakmp commands.
To set the Diffie-Hellman group used for key exchange, enter the following command:
Step 2
hostname(config)# isakmp policy priority group {1 | 2}
Group 1 is 768 bits, and Group 2 is 1024 bits (and therefore more secure).
To set the authentication algorithm, enter the following command:
Step 3
hostname(config)# isakmp policy priority hash {md5 | sha}
The sha keyword is more secure than md5.
To set the IKE authentication method as a shared key, enter the following command:
Step 4
hostname(config)# isakmp policy priority authentication pre-share
You can alternatively use certificates instead of a shared key by specifying the rsa-sig option. See the
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command
Reference for more information about this method.
To enable IKE on the tunnel interface, enter the following command:
Step 5
hostname(config)# isakmp enable interface_name
To set the authentication and encryption methods used for IPSec tunnels in a transform set, enter the
Step 6
following command:
hostname(config)# crypto ipsec transform-set transform_name [esp-md5-hmac | esp-sha-hmac]
{esp-aes-256 | esp-aes-192 | esp-aes | esp-des | esp-3des}
Although you can specify authentication alone, or encryption alone, these methods are not secure.
You refer to this transform set when you configure the VPN client group or a site-to-site tunnel.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Configuring Basic Settings for All Tunnels, page 23-5
Configuring VPN Client Access, page 23-6
Configuring a Site-to-Site Tunnel, page 23-8
"Configuring a Class" section on page
Allowing a VPN Management Connection
4-24.)
23-5