[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

how to create ipsec tunnel with the following parameters

Posted on 2011-05-03
9
Medium Priority
?
703 Views
Last Modified: 2012-05-11
how to create ip sec tunnel using these parameters.  customer ip where tunnel has to be connected 1.1.1.1

ISAKMP Parameters:  (Phase I)
Encryption:                              AES-256 or 3DES
Authentication Mode:                          Pre-shared key
Authentication Algorithm:        SHA1 (96 bit) or MD5 (96 bit)
Diffie Hellman (DH) Group:    Group 2
Lifetime:                                  1440 minutes

 IPSEC Parameters: (Phase II)
Encryption:                              AES-256 or 3DES
Authentication Algorithm:        SHA1 (96 bit) or MD5 (96 bit)
Lifetime:                                  3600 seconds
Preferred Encryption/Algorithm:         AES-256/SHA1


###################################################################

plz provide me proper command. as ill be implemention on production.
thx every one in advance.
0
Comment
Question by:pawanopensource
  • 6
  • 3
9 Comments
 
LVL 7

Accepted Solution

by:
Ironmannen earned 2000 total points
ID: 35685404
Hello
What version of ASA will you use, 8.4?
How will the crypto ACL be designed? From were to where?
Regards
0
 

Author Comment

by:pawanopensource
ID: 35687180
Here is show version.

Cisco PIX Security Appliance Software Version 8.0(3)
Device Manager Version 6.0(3)

Compiled on Tue 06-Nov-07 19:50 by builders
System image file is "flash:/pix803.bin"
Config file at boot was "startup-config"

pixfirewall up 9 days 22 hours

Hardware:   PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
0
 

Author Comment

by:pawanopensource
ID: 35687580
For phase 1 i have done this

#######################################################################
ISAKMP Parameters: (Phase I)
Encryption: AES-256 or 3DES
Authentication Mode: Pre-shared key
Authentication Algorithm: SHA1 (96 bit) or MD5 (96 bit)
Diffie Hellman (DH) Group: Group 2
Lifetime: 1440 minutes


#crypto ipsec transform-set strong esp-3des esp-sha-hmac
#crypto map abc 20 match address 130
#crypto map abc 20 set peer 1.1.1.1
#crypto map abc 20 set transform-set strong
#crypto map abc interface outside
#crypto isakmp enable outside
#crypto isakmp policy 4


#crypto isakmp policy 4
#authentication pre-share
#encryption 3des
#hash sha
#group 2
#lifetime 1440

#########################################################################

for phase 2 pending

IPSEC Parameters: (Phase II)
Encryption: AES-256 or 3DES
Authentication Algorithm: SHA1 (96 bit) or MD5 (96 bit)
Lifetime: 3600 seconds
Preferred Encryption/Algorithm: AES-256/SHA1

pending

##########################################################################

plz point me to the right direction.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 7

Expert Comment

by:Ironmannen
ID: 35687641

PHASE 1 //with AES is recommended
crypto isakmp policy 4
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400 //(1440*60)
crypto isakmp enable outside

PHASE 2

tunnel-group 1.1.1.1 type-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key KEY

crypto ipsec transform-set strong esp-aes-256 esp-sha-hmac

crypto map abc 20 match address 130
crypto map abc 20 set peer 1.1.1.1
crypto map abc 20 set transform-set strong
crypto map abc 20 set security-association lifetime seconds 3600

crypto map abc interface outside
0
 

Author Comment

by:pawanopensource
ID: 35687643
friend lets do 1 thing. plz guide me in configuring ipsec tunnel according to Phase 1 and Phase 2 requirement.

i have to make tunnel between my office and client

office                client
1.1.1.1              2.2.2.2

hope i am not making u confused.
0
 

Author Comment

by:pawanopensource
ID: 35687714
plz explain me what is this command for.

crypto ipsec transform-set strong esp-aes-256 esp-sha-hmac
0
 

Author Comment

by:pawanopensource
ID: 35688150
ISAKMP Parameters: (Phase I)
Encryption: AES-256 or 3DES

IPSEC Parameters: (Phase II)
Encryption: AES-256 or 3DES

###################################################################

according to your config  encryption method for phase 1 and phase 2 has been met.
0
 

Author Comment

by:pawanopensource
ID: 35688513
hey every thing is fine, but i am creating tunnel group its showing this.

pixfirewall(config)# tunnel-group 1.1.1.1 ?

configure mode commands/options:
  general-attributes  Enter the general-attributes sub command mode
  ipsec-attributes    Enter the ipsec-attributes sub command mode

not able to configure tunnel like u have said.
#########################################################

tunnel-group 1.1.1.1 type-l2l
tunnel-group 1.1.1.1 ipsec-attributes
0
 
LVL 7

Expert Comment

by:Ironmannen
ID: 35693314
Hello
Sorry for my typo, it should be:
tunnel-group 1.1.1.1 type ipsec-l2l
try and paste it in, here is my sh run from a Asa 8.0(2) in GNS3 (I have applied it on real hardware many times)
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key *

The line: "crypto ipsec transform-set strong esp-aes-256 esp-sha-hmac" dictates how the user traffic should be protected and in this case it is by aes-256 and keyed hash with SHA
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses
Course of the Month18 days, 10 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question