The IKE policy details to enable the selected authentication method
need to be determined, and then configured. Having a detailed plan lessens the
chances of improper configuration. Some planning steps include the
following:
- Determine the key distribution method – Determine the key distribution
method based on the numbers and locations of IPSec peers. For a small
site-to-site VPN networks, it may be best to manually distribute keys. For
larger networks, it may be necessary to use a CA server to support scalability
of IPSec peers. Internet Security Association Key Management Protocol (ISAKMP)
must be configured to support the selected key distribution method.
- Determine the authentication method – Choose the authentication method
based on the key distribution method. Cisco IOS software supports either
pre-shared keys, RSA encrypted nonces, or RSA signatures to authenticate IPSec
peers. This lesson focuses on using pre-shared keys.
- Identify IP addresses and host names of the IPSec peers – Determine the
details of all of the IPSec peers that will use ISAKMP and pre-shared keys for
establishing security associations (SAs). This information will be used to
configure IKE.
- Determine ISAKMP policies for peers – An ISAKMP policy defines a
combination or suite of security parameters to be used during the ISAKMP
negotiation. Each ISAKMP negotiation begins by each peer agreeing on a common,
or shared, ISAKMP policy. The ISAKMP policy suites must be determined in
advance of configuration. IKE must then be configured to support the policy
details that have been determined. Some ISAKMP policy details include:
- Encryption algorithm
- Hash algorithm
- IKE SA lifetime
The goal of this planning step is to gather the precise data that will
be needed in later steps to minimize configuration errors.
An IKE policy
defines a combination of security parameters used during the IKE negotiation. A
group of policies makes up a protection suite of multiple policies that enable
IPSec peers to establish IKE sessions and establish SAs with a minimal
configuration.
Create IKE policies for a purpose
IKE
negotiations must be protected, so each IKE negotiation begins by each peer
agreeing on a shared IKE policy. This policy states which security parameters
will be used to protect subsequent IKE negotiations.
After the two peers
agree upon a policy, an SA established at each peer identifies the security
parameters of the policy. These SAs apply to all subsequent IKE traffic during
the negotiation.
Multiple, prioritized policies can be created at each
peer to ensure that at least one policy will match a policy configured on a
remote peer.
Define IKE policy parameters
Specific values for
each IKE parameter can be selected, as outlined in the IKE standard. Choose one
value over another based on the security level desired and the type of IPSec
peer that will be connected to.
There are five parameters to define in
each IKE policy as outlined in Figures
and
. Figure
shows the
relative strength of each parameter, and Figure
shows
the default values.