index_163
UNCLASSIFIED
Advanced Security Services
Version 1.0g
UNCLASSIFIED
163
Consult the Cisco IOS 12.0 Security Configuration Guide [2] for details on the other
IKE options.
(Note: the router used for part of this example is named Remote, and that name
appears in all the prompts. Do not use a remote administration connection to enter
sensitive IPSec parameters use a local console connection.)
To use pre-shared keys for making authentication decisions in IKE, each router must
possess the same secret key. These keys should be obtained out-of-band by each of
the routers administrators. Once the keys are securely held, the network
administrators for the North and Remote routers (possibly the same person) should
enter the key into their routers. For this example, the secret key is 01234abcde. We
strongly recommend using difficult-to-guess combinations of characters, numbers,
and punctuation symbols to build operational pre-shared keys. To enter the keys, use
the crypto isakmp command in global configuration mode, as shown below.
The syntax for the crypto isakmp command is: crypto isakmp key key-value
address destination-ip-address.
North# config t
Enter configuration commands, one per line. End with CNTL/Z.
North(config)# crypto isakmp key 01234abcde address 7.12.1.20
North(config)# exit
North#
and
Remote# config t
Enter configuration commands, one per line. End with CNTL/Z.
Remote(config)# crypto isakmp key 01234abcde address 14.2.0.20
Remote(config)# exit
Remote#
When entering new configuration information into the router it is always a good idea,
after entering the new information, to check and see if the router has received the
intended configuration information. One way to verify that the pre-shared keys were
properly entered is to display the routers running-configuration and look for the pre-
shared key entered above. This can be done using the show running-config
command in privileged EXEC mode.
Establishing an IKE Security Policy
Each router contains a list of IKE security polices. In order for two routers to be
interoperable, there must be at least one policy in common between them. These
policies capture information needed by the IKE protocol to help build a secure IPSec
tunnel between the two routers. Each necessary parameter for the policy is listed