HostedDB - Dedicated UNIX Servers
index_164
Router Security Configuration Guide UNCLASSIFIED 164 UNCLASSIFIED Version 1.0g below with a short description of its purpose (the default setting is given first in all lists of choices): § priority number – a positive integer used to uniquely identify the policy when two or more are contained within the routers configuration file (default: none) § encryption algorithm – for protecting the IKE protocol messages (choices: DES, 3DES in certain IOS versions, e.g. 12.0(3)T). Unless you have a very sound reason to use DES, (e.g. 3DES doesn’t provide the needed performance) always use 3DES.  The DES algorithm is not acceptable, however, to protect information between two peers over a hostile, unprotected network (e.g. the Internet), so use 3DES for such cases.    § hash algorithm – for providing integrity to IKE protocol messages (choices: SHA, MD5) § authentication method – for identifying the routers attempting to establish a tunnel (choices: Rivest-Shamir-Adelman (RSA) signature, RSA encryption, pre-shared keys) § Diffie -Hellman group – used for computing the encryption key (choices: #1 (768 bit modulus),  #2 (1024 bit modulus)). We recommend using #2, and eventually #5 (1536 bit modulus) when it becomes available. § security association lifetime – lifetime  (in seconds) a tunnel should remain in place before it is automatically rebuilt (default: 86400 (one day)) The administrators for the North and Remote routers should enter the IKE security policy into their routers using the following commands shown below. North#   North# config t Enter configuration commands, one per line. End with CNTL/Z. North(config)# crypto isakmp policy 1 ! The policy number may be an integer between 1 and 65,536, with   ! the priority given to lower numbers North(crypto-isakmp)# encryption 3des ! If the user’s version of the IOS only supports the DES ! algorithm, and community of interest data separation is needed, ! then use the following command to select DES for encryption   ! North(crypto-isakmp)# encryption des   North(crypto-isakmp)# hash sha North(crypto-isakmp)# authentication pre-share North(crypto-isakmp)# group 2 North(crypto-isakmp)# lifetime 86400 North(crypto-isakmp)# exit North(config)# exit North# and