Cisco Systems VPN 3000 IKE Parameters, IKE Peer, Negotiation Mode, Digital Certificate

13 Policy Management

13-26 VPN 3000 Concentrator Series User Guide

IKE Parameters

These parameters govern IKE SAs, which are Phase 1 SAs negotiated under IPSec, where the two parties

establish a secure tunnel within which they then negotiate the IPSec SAs. In this IKE SA they exchange

automated key management information under the IKE (Internet Key Exchange) protocol (forme rly

called ISAKMP/Oakley).

All these parameters (except IKE Peer) must be configured the same on both parties; the IKE Peer entries

must mirror each other. If you create multiple IPSec SAs for use between two IKE peers, the IKE SA

parameters must be the same on all SAs.

For best performance and interoperability, we strongly recommend that you use the default parameters

where appropriate.

IKE Peer

This parameter applies only to IPSec LAN-to-LAN configurations. It is ignore d for IPSec client-to-LAN

configurations.

Enter the IP address of the remote peer VPN Concentrat or. Use dotted decimal notation. This must be

the IP address of the public interface on the peer VPN Concentrator.

This IP address must also match the Peer IP Address on the Configuration | System | Tunneling Protocols |

IPSec LAN-to-LAN | Add or Modify screen. It must also match the Group Name for the LAN-to-LAN

connection. When you configure the connection on the Configuration | System | Tunneling Protocols | IPSec

LAN-to-LAN | Add screen, the Manager automatically creates a group with the Peer IP address as the Group

Name. See Configuration | User Management for information on groups.

When you configure this parameter on the remote peer, enter the IP address of this VPN Concentrator;

i.e., the entries must mirror each other.

Negotiation Mode

This parameter sets the mode for exchanging key information and setting up the SAs. It sets the mode

that the initiator of the negotiation uses; the responder auto-negotiates.

Click the drop-down menu button and select the mode:

Aggressive = A faster mode using fewer packets and fewer exchanges, but which does not protect the

identity of the communicating parties.

Main = A slower mode using more packets and more exchanges, but which protects the identities of

the communicating parties. This mode is more secure and it is the default selection.

Digital Certificate

This parameter specifies whether to use preshared keys or a PKI (Public Key Infrastructure) digital

identity certificate to authenticate the peer during Phase 1 IKE negotiations. See the discussion under

Administration | Certificate Management.

Click the drop-down menu button and select the option. The list shows any digital certificates that have

been installed, plus:

None (Use Preshared Keys) = Use preshared keys to authenticate the peer during Phase 1 IKE

negotiations. This is the default selection.