Cisco Systems VPN 3000 IKE Proposal

Configuration | Policy Management | Traffic Management | Security Associations | Add or Modify

13-27

VPN 3000 Concentrator Series User Guide

IKE Proposal

This parameter specifies the set of attributes that govern Phase 1 IPSec negotiations, which are known

as IKE proposals. See the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen. When

the VPN Concentrator is acting as an IPSec initiator, this is the only IKE proposal it negotiates. As an

IPSec responder, the VPN Concentrator checks all active IKE proposals in priority order, to see if it can

find one that agrees with parameters in the initiator’s proposed SA. You must configure, activate, and

prioritize IKE proposals before configuring Security Associations.

Click the drop-down menu button and select the IKE proposal. The list shows only active IKE proposals

in priority order. Cisco-supplied default active proposals are:

IKE-3DES-MD5 = Use preshared keys and MD5/HMAC-128 for authentication. Use 3DES-168

encryption. Use D-H Group 2 to generate SA keys. This selection is the most secure, and it is the

default selection.

IKE-3DES-MD5-DH1 = Use preshared keys and MD5/HMAC-128 for authenticat ion. Use 3DES-168

encryption. Use D-H Group 1 to generate SA keys. This selection is compatible with the Cisco VPN

3000 Client.

IKE-DES-MD5 = Use preshared keys and MD5/HMAC-128 for authentication. Use DES-56

encryption. Use D-H Group 1 to generate SA keys. This selection is compatible with the Cisco VPN

3000 Client.

Add or Apply / Cancel

To add this Security Association to the list of configured SAs, click Add. Or to apply your changes to

this Security Association, click Apply. On the Modify screen, any changes take effect as soon as you click

Apply. If this SA is being used by an active filter rule or group, changes may affect tunnel traffic. Both

actions include your entry in the active configuration. The Manager returns to the Configuration | Policy

Management | Traffic Management | Security Associations screen. Any new SA appears at the bottom of the

IPSec SAs list.

Reminder: To save the active configuration and make it the boot configuration, click the Save Needed icon at the

top of the Manager window.

To discard your entries, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic

Management | Security Associations screen, and the IPSec SAs list is unchanged.