25-30
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Configuring VPN Global Settings
(Device View) Select Remote Access VPN > Global Settings from the Policy selector.
(Policy View) Select Remote Access VPN > Global Settings from the Policy Type selector.
Select an existing policy or create a new one.
For site-to-site VPNs, do one of the following:
Open the Site-to-Site VPN Manager Window, page24-18, select a topology in the VPNs
selector, then select VPN Global Settings in the Policies selector.
(Policy view) Select Site-to-Site VPN > VPN Global Settings from the Policy Types selector.
Select an existing shared policy or create a new one.
Step 2 Select the desired tab and configure the settings as needed:
ISAKMP/IPsec Settings—To configure global settings for IKE and IPsec. For detailed information
about the options, see Configuring VPN Global ISAKMP/IPsec Settings, page 25-30.
IKEv2 Settings—To configure global settings for IKE version 2 negotiations. For detailed
information about the options, see Configuring VPN Global IKEv2 Settings, page25-34.
NAT Settings—To configure NAT behavior. For detailed information about the options, see
Configuring VPN Global NAT Settings, page 25-38. Also see Understanding NAT in VPNs,
page 25-37.
���General Settings—To configure fragmentation behavior and some other miscellaneous options. For
detailed information about the options, see Configuring VPN Global General Settings, page25-40.
Configuring VPN Global ISAKMP/IPsec Settings
Use the ISAKMP/IPsec Settings tab of the VPN Global Settings page to specify global settings for
Internet Key Exchange (IKE) and IPsec.
The Internet Key Exchange (IKE) protocol, also called the Internet Security Association and Key
Management Protocol (ISAKMP) is the negotiation protocol that lets two hosts agree on how to build an
IPsec security association. Each ISAKMP negotiation is divided into a Phase 1 and Phase 2. Phase 1
creates the first tunnel, which protects ISAKMP negotiation messages. Phase 2 creates the tunnel that
protects data.
To set terms for ISAKMP negotiations, you create an IKE proposal. For more information, see
Configuring an IKE Proposal, page 25-9.
About IKE Keepalive
With IKE keepalive, tunnel peers exchange messages that demonstrate they are available to send and
receive data in the tunnel. Keepalive messages transmit at set intervals, and any disruption in that interval
results in the creation of a new tunnel, using a backup device.
Devices that rely on IKE keepalive for resiliency transmit their keepalive messages regardless of whether
they are exchanging other information. These keepalive messages can therefore create a small but
additional demand on your network.
A variation on IKE keepalive called keepalive dead-peer detection (DPD) sends keepalive messages
between peer devices only when no incoming traffic is received and outbound traffic needs to be sent. If
you want to send DPD keepalive messages when no incoming traffic is received regardless of whether
there is any outbound traffic, you can specify this using the Periodic option.