25-62
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Configuring IKEv2 Authentication in Site-to-Site VPNs

PKI Enrollment Dialog Box—Trusted CA Hierarchy Tab

Use the Trusted CA Hierarchy tab of the PKI Enrollment dialog box to define the trusted CA servers
within an hierarchical PKI framework. Within this framework, all enrolled peers can validate each
other’s certificates if they share a trusted root CA certificate or a common subordinate CA.
Select the CA servers (as defined as PKI enrollment objects) to include in the hierarchy in the Available
Servers list and click >> to move them to the selected list. You can do the reverse to remove servers.
If the PKI enrollment object you need is not yet defined, click the Create (+) button beneath the available
servers list to create the object. You can also select an object and click the Edit button to change its
definition, if needed.
Navigation Path
Go to the PKI Enrollment dialog box and click the Trusted CA Hierarchy tab. For information on
opening the dialog box, see PKI Enrollment Dialog Box, page 25-54.
Related Topics
PKI Enrollment Dialog Box—CA Information Tab, page25-55
PKI Enrollment Dialog Box—Enrollment Parameters Tab, page25-59
PKI Enrollment Dialog Box—Certificate Subject Name Tab, page25-61
Configuring IKEv2 Authentication in Site-to-Site VPNs
When you configure IKE version 2 (IKEv2) in a site-to-site VPN, you must configure the IKEv2
Authentication policy to define authentication settings. Unlike IKEv1, authentication settings are not
part of the IKEv2 proposal.
In Security Manager, when you configure IKEv2 authentication for a site-to-site VPN, you configure
default settings that will be used in the VPN topology. You can then configure exceptions to the default,
specifying different preshared keys or trustpoints for specific segments of the VPN. You can use a
mixture of preshared keys and trustpoints, for example, configuring a global preshared key, but
trustpoints for selected members of the VPN.
IKEv2 allows you to use asymmetric authentication, unlike IKEv1. This means that two peers can have
different preshared keys, different trustpoints, or one peer could use a preshared key and the other peer
could use a trustpoint. In Security Manager, you can configure asymmetric authentication by doing any
of the following:
On the Global IKEv2 Authentication Settings tab, you can configure different preshared keys if you
elect to auto-generate keys and do not select the Same Keys for All Tunnels or the Same Key at
Tunnel Endpoints option. A different preshared key is generated for each end of each tunnel.
On the Override IKEv2 Authentication Settings tab, you can create overrides for the global settings.
You add overrides that specify different keys or trustpoints for subsets of local and remote peers.
Because you can create more than one override for a device or a specific tunnel, you can configure
a set of preshared keys and trustpoints from which peers will authenticate.
Email (E) The email address to include in the certificate.
Table25-13 PKI Enrollment Dialog Box—Certificate Subject Name Tab (Continued)
Element Description