Cisco Systems 4034784, 4034785 Auto (IKE) , Manual

OL-30824-01 63

Configure Secur ity

Section Field Description

Key

Management

(continued)

Select one of the following options for the key exchange method:

 Auto (IKE)

– Encryption: The Encryption method determines the length of the key used

to encrypt/de crypt ESP packets. Notice that both sides m ust use the same

method.

– Authentication : Th e Authe ntication method authenticate s the

Encapsulating Security Payload (ESP) packets. Select MD5 or SHA. Noti ce

that both sides (VPN endpoints) must use the sam e method.



MD5: A one-way hashing algorithm that produces a 128-bit digest



SHA: A one-way hashing algorithm that produces a 160-bit digest

– Perfect Forward Secrecy (PFS): If PFS is enabled, IKE Ph ase 2 negotiation

will generate new key material for IP traffic encryption and authentication.

Note that both sides must h ave PFS enabled.

– Pre-Shared Key: IKE uses the Pre -Shared Key to auth enticate the rem ote

IKE peer. Both character and hexadecimal values are acceptable in this

field, e.g., "My_@123" or "0x4d795f40313233". Note that both sides must use

the same Pre-Shared Key.

– Key Life time: This field specifies the lifetime of the IKE generated key. If

the time expires, a new k ey will be renegotiated automatically. The Key

Lifetime may range from 300 to 100,000,000 seconds. The default lifetime is

3600 seconds.

 Manual

– Encryption: The Encryption method determines the length of the key used

to encrypt/de crypt ESP packets. Notice that both sides m ust use the same

method.

– Encryption Key: This field specifies a key used to encrypt and decrypt IP

traffic. Both character and hexadecimal values are acceptable in this field.

Note that both sides must u se the same Encryption Key.

– Authentication : The Authentication method authenti cates the

Encapsulating Security Payload (ESP) packets. Select MD5 or SHA. Notice

that both sides (VPN endpoints) must use the sam e method.



MD5: A one-way hashing algorithm that produces a 128-bit dig est



SHA: A one-way hashing algorithm that produces a 160-bit digest

– Authentication Key: This field specifies a key used to authenticate IP

traffic. Both character and hexadecimal values are acceptable in this field.

Note that both sides must u se the same Authentication Key.

– Inbound SPI/Outbound SPI:

The Security Parameter Index (SPI) is carried

in the ESP header. This enables the receiver to select the SA, under which a

packet should be proce ssed. The SPI i s a 32-bit value. Both decimal and

hexadecimal val ues are acceptable. e.g. , "987654321" or "0x3ade68b1". Each

tunnel must have a unique Inbound SPI and Outbound SPI. No two tunnels

share the sa me SPI. Note that th e Inbound SPI must match the remote

gateway's Outbound SPI, and vice versa.