Prepare a Router for Site-to-Site VPN using Pre-shared Keys
Step 2 – Determine IPSec (IKE Phase 2) policy

An IPSec policy defines a combination of IPSec parameters used during the IPSec negotiation. Planning for IPSec , also known as IKE phase two, is another important step tha should be completed before actually configuring IPSec on a Cisco router. Policy details to determine at this stage include the following:

  • Select IPSec algorithms and parameters for optimal security and performance – Determine what type of IPSec security to use when securing interesting traffic. Some IPSec algorithms require tradeoffs between high performance and stronger security. Some algorithms have import and export restrictions that may delay or prevent implementation of the network.
  • Select transforms and, if necessary, transform sets – Use the IPSec algorithms and parameters previously decided upon to help select IPSec transforms, transform sets, and modes of operation.
  • Identify IPSec peer details – Identify the IP addresses and host names of all IPSec peers to be connected.
  • Determine IP address and applications of hosts to be protected – Decide which hosts IP addresses and applications should be protected at the local peer and remote peer.
  • Select manual or IKE-initiated SAs – Choose whether SAs are manually established or are established through IKE.

The goal of this planning step is to gather the precise data that will be needed in later steps to minimize misconfiguration.

Cisco IOS software supports the IPSec transforms shown in Figure .

Authentication Header (AH) is rarely used because authentication is now available with the esp-sha-hmac and esp-md5-hmac transforms. AH is also not compatible with NAT or PAT.

The Cisco IOS command parser prevents invalid combinations from being entered. For example, after an AH transform is specified, it does not allow another AH transform to be specified for the current transform set.