Chapter 7 VPN
Click Cancel to return to the IPSec Configuration page without saving the changes.
IKE Proposal
Internet Key Exchange (IKE) is used to negotiate the keying material used by the IPSec VPN encryption and integrity algorithms. IKE uses UDP port number 500 and precedes the actual IPSec data flow. IKE is a
IKE Proposals are divided into two phases:
•The device negotiates Phase 1 of the IKE and establishes a shared, secure connection. Phase 1 uses Aggressive Mode or Main Mode for packet exchange. The default is Main Mode.
•In Phase 2, the device establishes keying material for the VPN. Phase 2 is much quicker than Phase 1, since it can rely on the checks established during Phase 1, without needing to
Phase 1 of the IKE negotiation requires authentication between the two devices to be connected over the VPN tunnel. When you configure the IKE proposal, you can select one of the following Authentication methods based on your network security requirements.
•IKE with
•IKE with
•IKE with X.509 Certificates (Main Mode)
•IKE with X.509 Certificates (Aggressive Mode)
•Manual Keying
Note To use the X.509 Certificate Authentication, you must first import matching X.509 CA Certificates and Local Certificates on the X family and the remote device (s). On the X family device, you can create certificates from the X.509 Certificates page (Authentication > X.509 Certificates).
On the X family device, you configure the IKE proposals with the authentication and encryption configuration (used for Phase 1 and Phase 2 IKE negotiation) required for the different types of remote devices that will connect via the VPN tunnel connection. Then, when you create the IPSec Security Association required for each remote device, you can select the IKE proposal to use for key exchange and specify the key information.
For additional information, see the following topics:
•“Manage IKE Proposals” on page 198
•“Configuring IKE Proposals” on page 200
Manage IKE Proposals
You can view, manage and configure IKE proposals from the IKE Proposals menu page (VPN > IKE Proposals) in the LSM.
198 X Family LSM User’s Guide V 2.5.1