25-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Overview of IKE and IPsec Configurations
Overview of IKE and IPsec Configurations
Internet Key Exchange (IKE) is a key management protocol that is used to authenticate IPsec peers,
negotiate and distribute IPsec encryption keys, and to automatically establish IPsec security associations
(SAs).
The IKE negotiation comprises two phases. Phase 1 negotiates a security association between two IKE
peers, which enables the peers to communicate securely in Phase 2. During Phase 2 negotiation, IKE
establishes SAs for other applications, such as IPsec. Both phases use proposals when they negotiate a
connection.
An IKE proposal is a set of algorithms that two peers use to secure the IKE negotiation between them.
IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states which
security parameters will be used to protect subsequent IKE negotiations. For IKE version 1 (IKEv1), IKE
proposals contain a single set of algorithms and a modulus group. You can create multiple, prioritized
policies at each peer to ensure that at least one policy matches a remote peer’s policy. Unlike IKEv1, in
an IKEv2 proposal, you can select multiple algorithms and modulus groups from which peers can choose
during the Phase 1 negotiation, potentially making it possible to create a single IKE proposal (although
you might want different proposals to give higher priority to your most desired options). You can define
several IKE proposals per VPN.
You must configure several policies to define the settings required to make successful regular IPsec
connections in a site-to-site or remote access VPN. The following procedure provides an overview of the
steps required to complete the configuration, and points to other topics that provide detailed information
for each step.
Related Topics
Understanding IKE, page 25-5
Understanding IPsec Proposals, page 25-17
Understanding IKEv1 Preshared Key Policies in Site-to-Site VPNs, page 25-43
Understanding Public Key Infrastructure Policies, page 25-47
Step 1 Configure the IKE Proposal policy.
In the IKE Proposal policy, you define the IKE proposal policy objects to use for making VPN
connections. When defining the IKE proposal object, you select the algorithms to use for encrypting the
IKE negotiation and for integrity checking, and the Diffie-Hellman group to use to operate the
encryption algorithm. For IKEv1, you also determine whether you are using preshared keys or Public
Key Infrastructure, whereas in IKEv2, the IKE proposal does not include a specification for
authentication mode.
The following topics explain how to configure the IKE Proposal policy:
Configuring an IKE Proposal, page 25-9
Configuring IKEv1 Proposal Policy Objects, page 25-10
Configuring IKEv2 Proposal Policy Objects, page 25-13
Configuring the IKE Proposal for GET VPN, page 28-15
Step 2 Complete the authentication mode configuration.
Your selection for authentication mode in the IKEv1 proposal, and your decision on which mode to use
for IKEv2, controls what other policies are required to complete the authentication mode configuration: