Im studying IPSec VPN’s at the moment. There’s alot of terms, protocols and exchanges taking place, and they all use names thats really hard to tie together with what they are doing 🙂
Isakmp for example, what does that do? well, it stands for Internet Security Association and Key Management Protocol. Its the first phase of the IKE (Internet Key Exchange). Basically its sets up a baseline (encryption, hashing (authentication), Key-material, and Diffie-Hellman group), for management traffic. DH uses assymetric encryption to make a secure channel, to send a symmetric key through, which is used for the isakmp SA (Security Association).
The Second IKE phase, is the IPSec phase itself. It specifies a “transform-set”, which are information regarding the IPSec tunnel itself. What encryption (If any, as AH doesnt support confidentiality (encryption)), and authentication (Hashing), along with a lifetime on the IPSec SA.
You will also need to setup a crypto map, which ties together what traffic is to go through the tunnel, what peer you are going to create an IPSec tunnel to, and the transform set to be used. This crypto map is then applied to an interface. When data hits this outside interface, it is inspected, and if allowed through the ACL, it will be piped through the IPSec tunnel.
Lots of configuration!
I normally dont like to use GUI’s, especially since Ive had bad experience with Cisco’s GUI’s before (old PIX firewalls), so I was surprised at how easy it is to setup a site-to-site VPN connection through SDM. It doesnt mess up the “real” configuration that much either, which I was afraid of.
Im off to relax, and to setup some more lab VPN’s.