This section summarizes the main points of this chapter:
Determine the types of traffic that will be encrypted and the hosts or networks that will be protected, and specify the IPSec gateways that will terminate the tunnels as part of planning for IPSec.
You use the isakmp policy command to specify preshared keys for authentication and to configure IKE policy parameters.
Some IPSec transforms require you to make trade-offs between high performance and stronger security.
IPSec transforms are grouped into sets, and the sets can be grouped into supersets in crypto maps, where you place the strongest security transform sets first.
Crypto access lists act like outgoing access lists, where permit means encrypt.
Crypto access lists should mirror each other between peers.
Crypto maps pull together all IPSec details and are applied to interfaces, enabling IPSec SA setup.
The PIX Firewall can terminate IPSec tunnels on any interface from traffic coming in on that interface.
The show crypto map command shows a summary of all IPSec parameters used to set up IPSec SAs.
The configuration procedures and commands are nearly identical between the PIX Firewall and Cisco routers. A key difference is that the PIX Firewall commands do not have a hierarchy with submodes.