Because the IKE SA is
bound to the VTI, the
same IKE SA cannot be
used for a crypto map.
Winnipeg(config)#exit Returns to global
con?¬?guration mode
Con?¬?guring a Static IPsec Virtual Tunnel Interface 53
Winnipeg(config)#crypto isakmp key KEY-1
address 0.0.0.0 0.0.0.0
Assigns the common
crypto key and speci?¬?es
the interface IP address of
the participating peer
NOTE: The VTI
programming steps
for the Edmonton router
are the same as those
for the Winnipeg
router using reciprocal
(mirrored) addressing.
Edmonton(config)#crypto isakmp policy 10 Creates policy to de?¬?ne
the parameters used
during the IKE negotiation
Edmonton(config-isakmp)#authentication preshare
Speci?¬?es use of a shared
common key
Edmonton(config-isakmp)#encryption aes 256 Speci?¬?es use of 256-bit
AES encryption
Edmonton(config-isakmp)#hash sha Speci?¬?es use of the SHA
hashing algorithm
Edmonton(config-isakmp)#group 5 Con?¬?gures the IKE policy
with the 1536-bit Dif?¬?e-
Hellman group (group 5)
Edmonton(config-isakmp)#lifetime 3600 Speci?¬?es the lifetime of an
IKE SA
Edmonton(config)#exit Returns to global
con?¬?guration mode
Edmonton(config)#crypto isakmp key KEY-1
address 0.0.0.0 0.0.0.0
Assigns the common
crypto key and speci?¬?es
the interface IP address of
the participating peer
54 Con?¬?guring a Static IPsec Virtual Tunnel Interface
Step 4: Create IPsec Transform Sets
NOTE: When IKE is not used to establish SAs, a single transform set must be
used.
Pages:
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61