25-6
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding IKE
When IKE negotiation begins, the peer that initiates the negotiation sends all of its policies to the remote
peer, and the remote peer searches for a match with its own policies, in priority order.
A match between IKE policies exists if they have the same encryption, hash (integrity and PRF for
IKEv2), authentication, and Diffie-Hellman values, and an SA lifetime less than or equal to the lifetime
in the policy sent. If the lifetimes are not identical, the shorter lifetime—from the remote peer
policy—applies. If no match exists, IKE refuses negotiation and the IKE SA is not established.
The following topics explain how to configure IKE proposals:
Configuring an IKE Proposal, page 25-9
Configuring IKEv1 Proposal Policy Objects, page 25-10
Configuring IKEv2 Proposal Policy Objects, page 25-13
Configuring the IKE Proposal for GET VPN, page 28-15
Deciding Which Encryption Algorithm to Use
When deciding which encryption and hash algorithms to use for the IKE proposal, your choice is limited
to algorithms that are supported by the devices in the VPN.
You can choose from the following encryption algorithms:
DES (Data Encryption Standard) is a symmetric secret-key block algorithm. It is faster than 3DES
and uses less system resources, but it is also less secure. If you do not need strong data
confidentiality, and if system resources or speed is a concern, you should choose DES.
3DES (Triple DES) is more secure because it processes each block of data three times, each time
with a different key. However, it uses more system resources and is slower than DES. 3DES is the
recommended encryption algorithm, assuming that the devices support it.
AES (Advanced Encryption Standard) provides greater security than DES and is computationally
more efficient than 3DES. AES offers three different key strengths: 128-, 192- and 256-bit keys. A
longer key provides higher security but a reduction in performance. When you configure IKE on a
router, the router must use Cisco IOS Software 12.3T or later to use AES.
Note AES cannot be used in conjunction with a hardware encryption card.
Related Topics
Understanding IKE, page 25-5
Configuring an IKE Proposal, page 25-9
Deciding Which Hash Algorithm to Use
You can choose from the following hash algorithms. In IKEv2, the hash algorithm is separated into two
options, one for the integrity algorithm, and one for the pseudo-random function (PRF).
SHA (Secure Hash Algorithm) is more resistant to brute-force attacks than MD5. However, it is also
more resource intensive than MD5. For implementations that require the highest level of security,
use the SHA hash algorithm.
Standard SHA produces a 160-bit digest.