Home > Articles > Cisco Network Technology > Network Administration & Support > Configuring the Cisco PIX Firewall for CA Site-to-Site

Configuring the Cisco PIX Firewall for CA Site-to-Site

Chapter Description

This sample chapter explains how to configure Cisco Secure PIX Firewall certificate authority (CA) support for Internet Protocol Security (IPSec). After presenting an overview of the configuration process, the chapter shows you each major step of the configuration, including support tasks, IKE, and IPSec.

Task 3: Configure IKE


The following steps are identical to those for configuring preshared keys except for Step 2, which is the only step covered here. Refer to Chapter 6 for the detailed explanation of each step not covered here.

Configuring IKE consists of three essential steps.

Step 1

Enable or disable IKE—Enable or disable IKE (ISAKMP) negotiation for authentication and key exchange. Set the ISAKMP identity.

Step 2

Create IKE policies—Define a suite of IKE policies to establish ISAKMP peering between two IPSec endpoints.

Step 3

Verify IKE configuration—The write terminal and show isakmp policy commands display configured policies.

Step 2: Create IKE Policies

The next major step in configuring the Pix Firewall ISAKMP support is to define a suite of ISAKMP policies. The goal of defining a suite of IKE policies is to establish ISAKMP peering between two IPSec endpoints. Use the IKE policy details gathered during the planning task. Configure an IKE phase one policy with the isakmp policy command to match expected IPSec peers:

Step 1

Identify the policy with a unique priority number.

pixfirewall(config)# isakmp policy priority

Step 2

Specify the encryption algorithm. The default is des.

pixfirewall(config)# isakmp policy priority encryption {des | 3des}

Step 3

Specify the hash algorithm. The default is sha.

pixfirewall(config)# isakmp policy priority hash {md5 | sha}

Step 4

Specify the authentication method.

pixfirewall(config)# isakmp policy priority authentication {pre-share | rsa-sig}


If you specify the authentication method using a CA server, you must use the rsa-sig authentication method.

Step 5

Specify the Diffie-Hellman group identifier. The default is group 1.

pixfirewall(config)# isakmp policy priority group {1 | 2}

Step 6

Specify the IKE SA's lifetime. The default is 86400.

pixfirewall(config)# isakmp policy priority lifetime seconds


PIX Firewall software has preset default values. If you enter a default value for a given policy parameter, it will not be written in the configuration. If you do not specify a value for a given policy parameter, the default value is assigned. You can observe configured and default values with the show isakmp policy command.

When configuring ISAKMP (IKE) for certificate-based authentication, it is important to match the IKE identity type with the certificate type. The ca enroll command used to acquire certificates will, by default, get a certificate with the identity based on host name. The default identity type for the isakmp identity command is based on the address instead of the host name. You can reconcile this disparity of identity types by using the isakmp identity hostname command when configuring CA support.

If you are using RSA signatures as your authentication method in your IKE policies, Cisco recommends you set each participating peer's identity to the host name. Otherwise, the ISAKMP security association to be established during phase one of IKE might fail.

Use the no isakmp identity hostname command to reset the IKE identity to the default value of IP address.

6. Task 4: Configure IPSec | Next Section Previous Section