index_164
Router Security Configuration Guide
UNCLASSIFIED
164
UNCLASSIFIED
Version 1.0g
below with a short description of its purpose (the default setting is given first in all
lists of choices):
§ priority number a positive integer used to uniquely identify the policy
when two or more are contained within the routers configuration file
(default: none)
§ encryption algorithm for protecting the IKE protocol messages (choices:
DES, 3DES in certain IOS versions, e.g. 12.0(3)T). Unless you have a very
sound reason to use DES, (e.g. 3DES doesnt provide the needed
performance) always use 3DES. The DES algorithm is not acceptable,
however, to protect information between two peers over a hostile,
unprotected network (e.g. the Internet), so use 3DES for such cases.
§ hash algorithm for providing integrity to IKE protocol messages
(choices: SHA, MD5)
§ authentication method for identifying the routers attempting to establish
a tunnel (choices: Rivest-Shamir-Adelman (RSA) signature, RSA
encryption, pre-shared keys)
§ Diffie -Hellman group used for computing the encryption key (choices:
#1 (768 bit modulus), #2 (1024 bit modulus)). We recommend using #2,
and eventually #5 (1536 bit modulus) when it becomes available.
§ security association lifetime lifetime (in seconds) a tunnel should remain
in place before it is automatically rebuilt (default: 86400 (one day))
The administrators for the North and Remote routers should enter the IKE security
policy into their routers using the following commands shown below.
North#
North# config t
Enter configuration commands, one per line. End with CNTL/Z.
North(config)# crypto isakmp policy 1
! The policy number may be an integer between 1 and 65,536, with
! the priority given to lower numbers
North(crypto-isakmp)# encryption 3des
! If the users version of the IOS only supports the DES
! algorithm, and community of interest data separation is needed,
! then use the following command to select DES for encryption
! North(crypto-isakmp)# encryption des
North(crypto-isakmp)# hash sha
North(crypto-isakmp)# authentication pre-share
North(crypto-isakmp)# group 2
North(crypto-isakmp)# lifetime 86400
North(crypto-isakmp)# exit
North(config)# exit
North#
and