Cisco Systems OL-16647-01 IKE Policy

32-4

Cisco ASDM User Guide

OL-16647-01

Chapter 32 VPN

VPN Wizard

When two peers want to communicate, they exchange certificates and digitally sign data to

authenticate each other. When you add a new peer to the network, it enrolls with a CA, and none

of the other peers require additional configuration.

–

Certificate Signing Algorithm—Displays the algorithm for signing digital certificates, rsa-sig

for RSA.

–

Certificate Name—Select the name that identifies the certificate the security appliance sends to

the remote peer. This list displays trustpoints with a certificate of the type previously selected

in the certificate signing algorithm list.

–

Challenge/response authentication (CRACK)—Provides strong mutual authentication when the

client authenticates using a popular method such as RADIUS and the server uses public key

authentication. The security appliance supports CRACK as an IKE option in order to

authenticate the Nokia VPN Client on Nokia 92xx Communicator Series devices.

• Tunnel Group Name—Type a name to create the record that contains tunnel connection policies for

this IPsec connection. A connection policy can specify authentication, authorization, and accounting

servers, a default group policy, and IKE attributes. A policy that you configure with this VPN wizard

specifies an authentication method, and uses the security appliance Default Group Policy.

By default, ASDM populates this box with the value of the Peer IP address. You can change this

name. Maximum 64 characters.

Modes

The following table shows the modes in which this feature is available:

IKE Policy

IKE, also called Internet Security Association and Key Management Protocol (ISAKMP), is the

negotiation protocol that lets two hosts agree on how to build an IPsec Security Association. Each IKE

negotiation is divided into two sections called Phase1 and Phase 2.

• Phase 1 creates the first tunnel, which protects later IKE negotiation messages.

• Phase 2 creates the tunnel that protects data.

Use the IKE Policy panel to set the terms of the Phase 1 IKE negotiations, which include the following:

• An encryption method to protect the data and ensure privacy.

• An authentication method to ensure the identity of the peers.

• A Diffie-Hellman group to establish the strength of the of the encryption-key-determination

algorithm. The security appliance uses this algorithm to derive the encryption and hash keys.

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

• — • ——