Filter
Top Products
3-12
Cisco uBR924 Software Configuration Guide
OL-0337-05 (8/2002)
Chapter 3 Advanced Data-Only Configurations
IPSec (56-bit) Example
The configuration of the Cisco uBR924 router for IPSec encryption depends on the application involved,
such as whether the IPSec encryption is part of a virtual private network (VPN) and whether the
Cisco uBR924 router should encrypt traffic to one or more than one peer end-point. A technique that
would work well for a small network might not scale well for a large network—for example, using
pre-shared authentication keys works for networks of up to 10 or so nodes, but larger networks should
use RSA public key signatures and digital certificates.
Note For more information about IPSec, as well as related topics such as Internet Key Exchange (IKE),
Internet Security Association Key Management Protocol/Oakley variation (ISAKMP/Oakley), and
digital certificates, see the “Additional Documentation” section on page 3-15.
The following shows the commands needed to configure the Cisco uBR924 router for IPSec encryption
with one peer router, using pre-shared keys.
Command Purpose
Step 1
uBR924(config)# crypto isakmp enable Enable the use of ISAKMP/IKE on the
Cisco uBR924 router.
Step 2
uBR924(config)# crypto isakmp policy priority-number Creates an IKE policy with the specified
priority-number (1–10000, where 1 is the highest
priority) and enters ISAKMP policy configuration
command mode.
Step 3
uBR924(config-isakmp)# encryption des Specifies that 56-bit DES encryption be used. to
encrypt the data.
Step 4
uBR924(config-isakmp)# hash md5 Specifies the MD5 (HMAC variant) hash algorithm
for packet authentication.
Step 5
ubr924(config-isakmp)# group 1 Specifies the 768-bit Diffie-Hellman group for key
negotiation.
Step 6
uBR924(config-isakmp)# authentication pre-share Specifies that the authentication keys are pre-shared,
as opposed to dynamically negotiated using RSA
public key signatures.
Step 7
uBR924(config-isakmp)# lifetime seconds Defines how long each security association should
exist before expiring (60 seconds to 86,400
seconds).
Step 8
uBR924(config-isakmp)# exit Exits ISAKMP policy configuration command
mode.
Step 9
uBR924(config)# crypto isakmp key shared-key address
ip-address
Specifies the pre-shared key that should be used
with the peer at the specific IP address. The key can
be any arbitrary alphanumeric key up to 128
characters long—the key is case-sensitive and must
be entered identically on both routers.
Note You can also specify a pre-shared key using
the crypto key public-chain dss command.
See the description of this command in the
Cisco Encryption Technology Commands
document, available on CCO and the
Documentation CD-ROM.