You have two systems, Apple (15.1.1.1) and Banana (15.2.2.2).
You want to use authenticated ESP with 3DES encryption and SHA-1 authentication
for all telnet traffic from Apple to Banana,
and for all telnet traffic from Banana to Apple. All other network
traffic will pass in clear text.You do not have a Public Key Infrastructure,
so you can use only preshared keys for ISAKMP primary authentication.
You will use the default values for most parameters, such
as the Security Association Lifetimes.
Apple System Configuration |
 |
IPSec Policies
On Apple, you must configure two IPSec policies. The first
IPSec policy (telnetAB) is for telnet requests
from Apple to Banana (users on Apple telnetting to Banana). Note
that since the telnet clients on Apple may
use any non-reserved TCP port number, you set the local port number
to an asterisk ("*") to indicate any port number.
You set the remote port number to 23, the well-known port for the telnet service.
The second IPSec policy (telnetBA) is for telnet requests
from Banana to Apple (users on Banana telnetting to Apple). Note
that since the telnet clients on Banana may
use any non-reserved TCP port number, you set the remote port number
to an asterisk ("*") to indicate any port number.
You set the local port number to 23, the well-known port for the telnet service.
Both IPSec policies telnetAB and telnetBA use the ISAKMP default policy.
In addition, you must modify the default IPSec policy to pass
all other traffic in clear text.
ISAKMP Policy
Since you are using IPSec/9000 between Apple and one other
system (Banana), you can just modify the default ISAKMP policy for
all requirements. Note that the (primary) authentication method
must be set to "preshared key" since you do not
have a Public Key Infrastructure.
Preshared Keys
You must configure the key to use when authenticating system
Banana's identity and to authenticate your identity to
Banana. Note that the remote address for the preshared key is 15.2.2.2
(Banana's IP address).
Printable version
