25-10
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding IKE
(Policy view) Select Site-to-Site VPN > IKE Proposal from the Policy Types selector. Select
an existing shared policy or create a new one.
Step 2 In each of the IKEv1 Proposals and IKEv2 Proposals fields, click Select to choose the policy objects
that define the settings for an IKE version 1 or version 2 proposal. Configure proposals only for those
IKE versions supported in the VPN.
To select an IKE proposal for site-to-site VPNs, simply highlight it in the available proposals list.
For remote access IPsec VPNs, highlight the desired objects in the available proposals list and click
>> to move them to the selected proposals list.
To remove an IKE proposal for remote access IPsec VPNs, highlight it in the selected proposals list
and click << to move it to the available proposals list.
To create a new IKE proposal, click the Create (+) button beneath the available proposals list. The
Add IKEv1 or IKEv2 Proposal dialog box opens. For instructions on creating the object, see the
following topics:
Configuring IKEv1 Proposal Policy Objects, page 25-10
Configuring IKEv2 Proposal Policy Objects, page 25-13
To edit an object, or to view its settings, select it and click the Edit (pencil) button beneath the list.
Configuring IKEv1 Proposal Policy Objects
Use the IKEv1 Proposal dialog box to create, copy, and edit an IKEv1 proposal object.
Internet Key Exchange (IKE) version 1 proposal objects contain the parameters required for IKEv1
proposals when defining remote access and site-to-site VPN policies. IKE is a key management protocol
that facilitates the management of IPsec-based communications. It is used to authenticate IPsec peers,
negotiate and distribute IPsec encryption keys, and automatically establish IPsec security associations
(SAs).
The IKE negotiation comprises two phases. Phase 1 negotiates a security association between two IKE
peers, which enables the peers to communicate securely in Phase 2. During Phase 2 negotiation, IKE
establishes security associations (SAs) for other applications, such as IPsec. Both phases use proposals
when they negotiate a connection. For more information about IKE proposals, see the following topics:
Overview of IKE and IPsec Configurations, page25-2
Comparing IKE Version 1 and 2, page 25-4
Understanding IKE, page 25-5
Deciding Which Encryption Algorithm to Use, page 25-6
Deciding Which Hash Algorithm to Use, page 25-6
Deciding Which Diffie-Hellman Modulus Group to Use, page25-7
Deciding Which Authentication Method to Use, page 25-8
Navigation Path
Select Manage > Policy Objects, then select IKE Proposals > IKEv1 Proposals from the Object Type
Selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit
Object.