Cisco Systems CL-28826-01 Configuring the IKE Proposal for GET VPN

28-15

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 28 Group Encrypted Transport (GET) VPNs

Configuring the IKE Proposal for GET VPN

This command prints out the public and private keys to the terminal, where you can copy them to

the clipboard for import into the other key servers. The keys are demarcated by ----BEGIN/END

PUBLIC KEY---- and ----BEGIN/END RSA PRIVATE KEY----.Note that you can also export to

a URL; see the Cisco IOS Security Command Reference on Cisco.com for detailed usage

information.

3. Import the key into each of the other key servers using the following command:

crypto key import rsa rekeyrsa pem exportable terminal passphrase

When copying and pasting the keys, include the begin/end lines.

Configuring the IKE Proposal for GET VPN

Use the IKE Proposal for GET VPN page to define the IKE proposal to be used by the GET VPN

topology. The IKE proposal is configured on the key servers and the group members.

These settings are for the ISAKMP security association (SA). If you are using a single key server, the

ISAKMP SA is not used after initial group member registration. If you are using more than one key

server (cooperative key servers), the ISAKMP SA is needed for communications among the key servers.

To open the IKE Proposal for GET VPN page:

•(Site-to-Site VPN Manager Window) Select an existing GET VPN topology and then select IKE

Proposal for GET VPN in the Policies selector.

•(Policy view) Select Site-to-Site VPN > IKE Proposal for GET VPN, and then select an existing

policy or create a new one.

The following table explains the settings you can configure in this policy.

Table28-1 IKE Proposal for GET VPN Policy

Element Description

IKE Proposal The IKE proposal policy object that defines the settings you want to

use. There are several predefined objects that you might be able to use

as is.

Click Select to open the list of existing IKE proposal objects. The

object you select needs to use the same authorization method you are

configuring for the group (for example, an object name with the prefix

preshared when using preshared keys, or with the prefix cert when

using Public Key Infrastructure (PKI) certificates).

When you select an object and click OK, the settings defined in the

object are displayed in the IKE Proposal Settings display fields. You

can also see the settings by editing them in the selection list. If you do

not find an appropriate pre-existing object, click the Add (+) button in

the selection list and create a new object (see Configuring IKEv1

Proposal Policy Objects, page 25-10 for more information and detailed

descriptions of the options).