CHAP TER
25-1
User Guide for Cisco Security Manager 4.4
OL-28826-01
25
Configuring IKE and IPsec Policies
This chapter describes how to configure Internet Protocol Security (IPsec) and the Internet Security
Association and Key Management Protocol (ISAKMP, or IKE) standards to build site-to-site and remote
access IPsec Virtual Private Networks (VPNs). These policies are used in regular IPsec and other types
of IPsec-based VPN technologies to build VPN tunnels.
Tunneling makes it possible to use a public TCP/IP network, such as the Internet, to create secure
connections between remote users and a private corporate network. Each secure connection is called a
tunnel.
IPsec-based VPN technologies use the ISAKMP and IPsec tunneling standards to build and manage
tunnels. ISAKMP and IPsec accomplish the following:
Negotiate tunnel parameters.
Establish tunnels.
Authenticate users and data.
Manage security keys.
Encrypt and decrypt data.
Manage data transfer across the tunnel.
Manage data transfer inbound and outbound as a tunnel endpoint or router.
A device in a VPN functions as a bidirectional tunnel endpoint. It can receive plain packets from the
private network, encapsulate them, create a tunnel, and send them to the other end of the tunnel where
they are unencapsulated and sent to their final destination. It can also receive encapsulated packets from
the public network, unencapsulate them, and send them to their final destination on the private network.
The following topics explain the basic IKE and IPsec policies and how to configure them:
Overview of IKE and IPsec Configurations, page25-2
Understanding IKE, page 25-5
Understanding IPsec Proposals, page 25-17
Configuring VPN Global Settings, page 25-29
Understanding IKEv1 Preshared Key Policies in Site-to-Site VPNs, page 25-43
Understanding Public Key Infrastructure Policies, page 25-47
Configuring IKEv2 Authentication in Site-to-Site VPNs, page 25-62