Contents
xxiv
User Guide for Cisco Security Manager 4.4
OL-28826-01
CHAPTER
25 Configuring IKE and IPsec Policies 25-1
Overview of IKE and IPsec Configurations 25-2
Comparing IKE Version 1 and 2 25-4
Understanding IKE 25-5
Deciding Which Encryption Algorithm to Use 25-6
Deciding Which Hash Algorithm to Use 25-6
Deciding Which Diffie-Hellman Modulus Group to Use 25-7
Deciding Which Authentication Method to Use 25-8
Configuring an IKE Proposal 25-9
Configuring IKEv1 Proposal Policy Objects 25-10
Configuring IKEv2 Proposal Policy Objects 25-13
Understanding IPsec Proposals 25-17
Understanding IPsec Proposals for Site-to-Site VPNs 25-18
Understanding Crypto Maps 25-18
Understanding Transform Sets 25-19
Understanding Reverse Route Injection 25-20
Configuring IPsec Proposals in Site-to-Site VPNs 25-21
Selecting the IKE Version for Devices in Site-to-Site VPNs 25-25
Configuring IPSec IKEv1 or IKEv2 Transform Set Policy Objects 25-25
Configuring VPN Global Settings 25-29
Configuring VPN Global ISAKMP/IPsec Settings 25-30
Configuring VPN Global IKEv2 Settings 25-34
Understanding NAT in VPNs 25-37
Configuring VPN Global NAT Settings 25-38
Configuring VPN Global General Settings 25-40
Understanding IKEv1 Preshared Key Policies in Site-to-Site VPNs 25-43
Configuring IKEv1 Preshared Key Policies 25-44
Understanding Public Key Infrastructure Policies 25-47
Requirements for Successful PKI Enrollment 25-48
Configuring IKEv1 Public Key Infrastructure Policies in Site-to-Site VPNs 25-50
Defining Multiple IKEv1 CA Servers for Site-to-Site VPNs 25-51
Configuring Public Key Infrastructure Policies for Remote Access VPNs 25-52
PKI Enrollment Dialog Box 25-54
PKI Enrollment Dialog Box—CA Information Tab 25-55
PKI Enrollment Dialog Box—Enrollment Parameters Tab 25-59
PKI Enrollment Dialog Box—Certificate Subject Name Tab 25-61
PKI Enrollment Dialog Box—Trusted CA Hierarchy Tab 25-62
Configuring IKEv2 Authentication in Site-to-Site VPNs 25-62
IKEv2 Authentication Policy 25-64