25-13
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter25 Configuring IKE and IPsec Policies
Understanding IKE
Configuring IKEv2 Proposal Policy Objects
Use the IKEv2 Proposal dialog box to create, copy, and edit an IKEv2 proposal object. You can use
IKEv2 proposals with ASA Software release 8.4(1)+ only.
Internet Key Exchange (IKE) version 2 proposal objects contain the parameters required for IKEv2
proposals when defining remote access and site-to-site VPN policies. IKE is a key management protocol
that facilitates the management of IPsec-based communications. It is used to authenticate IPsec peers,
negotiate and distribute IPsec encryption keys, and automatically establish IPsec security associations
(SAs).
The IKE negotiation comprises two phases. Phase 1 negotiates a security association between two IKE
peers, which enables the peers to communicate securely in Phase 2. During Phase 2 negotiation, IKE
establishes security associations (SAs) for other applications, such as IPsec. Both phases use proposals
when they negotiate a connection. Unlike IKEv1, in an IKEv2 proposal, you can select multiple
algorithms and modulus groups from which peers can choose during the Phase 1 negotiation. For more
information about IKE proposals, see the following topics:
Overview of IKE and IPsec Configurations, page25-2
Comparing IKE Version 1 and 2, page 25-4
Understanding IKE, page 25-5
Deciding Which Encryption Algorithm to Use, page 25-6
Deciding Which Hash Algorithm to Use, page 25-6
Deciding Which Diffie-Hellman Modulus Group to Use, page25-7
Authentication Method The method of authentication to use between the two peers. For
information on how this selection determines which other policies you
must configure, see Deciding Which Authentication Method to Use,
page 25-8. Select one of the following:
Preshared Key—Preshared keys allow for a secret key to be shared
between two peers and to be used by IKE during the authentication
phase. If one of the participating peers is not configured with the
same preshared key, the IKE SA cannot be established.
Certificate—An authentication method in which RSA key pairs are
used to sign and encrypt IKE key management messages. This
method provides non-repudiation of communication between two
peers, meaning that it can be proved that the communication
actually took place. When you use this authentication method, the
peers are configured to obtain digital certificates from a
Certification Authority (CA).
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-12.
Table25-1 IKEv1 Proposal Dialog Box (Continued)
Element Description