25-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Overview of IKE and IPsec Configurations
Configuring VPN Global ISAKMP/IPsec Settings, page 25-30
Configuring VPN Global IKEv2 Settings, page 25-34
Configuring VPN Global NAT Settings, page 25-38
Configuring VPN Global General Settings, page 25-40
Configuring Global Settings for GET VPN, page 28-16
Step 5 If you are configuring a remote access IKEv2 IPsec VPN, you must also configure several policies for
SSL VPN. IKEv2 shares several configuration settings with SSL VPNs. For information on the other
policies you need to configure, see Creating IPSec VPNs Using the Remote Access VPN Configuration
Wizard (ASA and PIX 7.0+ Devices), page29-24.
Comparing IKE Version 1 and 2
There are two versions of IKE: version 1 (IKEv1) and version 2 (IKEv2). When you configure IKE on
a device that supports IKEv2, you have the option of configuring either version alone, or both versions
together. When the device attempts to negotiate a connection with another peer, it uses whichever
versions you allow and that the other peer accepts. If you allow both versions, the device automatically
falls back to the other version if negotiations are unsuccessful with the initially chosen version (IKEv2
is always tried first if it is configured). Both peers must support IKEv2 to use it in a negotiation.
Tip Security Manager supports IKEv2 on ASA 8.4(1)+ only. For remote access IPsec VPNs, users must use
the AnyConnect 3.0+ client to complete IKEv2 connections, and IKEv2 connections use the same
license pool that is used for SSL VPN connections. The legacy VPN Client is used for IKEv1 remote
access connections on ASAs. For more information about device support in VPNs, see Understanding
Devices Supported by Each IPsec Technology, page 24-9.
IKEv2 differs from IKEv1 in the following ways:
IKEv2 fixes the Photuris style cookie mechanism.
IKEv2 has fewer round trips in a negotiation than IKEv1, two round trips versus five for IKEv1 for
a basic exchange.
Transform options are OR’ed, which means that you can specify multiple options in a single
proposal rather than creating separate unique proposals for each allowed combination.
Built-in dead peer detection (DPD).
Built-in configuration payload and user authentication mode.
Built-in NAT traversal (NAT-T). IKEv2 uses ports 500 and 4500 for NAT-T.
Improved re-keying and collision handling.
A single security association (SA) can protect multiple subnets, which improves scalability.
Asymmetric authentication in site-to-site VPNs, where each side of a tunnel can have different
preshared keys, different certificates, or one side a key and the other side a certificate.
For remote access IPsec VPNs, you can configure double authentication for IKEv2 connections in
the same way that you configure them for remote access SSL VPNs. IKEv1 does not support double
authentication.