An IPSec policy defines a combination of IPSec parameters used
during the IPSec negotiation. Planning for IPSec , also known as IKE phase two,
is another important step tha should be completed before actually configuring
IPSec on a Cisco router. Policy details to determine at this stage include the
following:
- Select IPSec algorithms and parameters for optimal security and performance
– Determine what type of IPSec security to use when securing interesting
traffic. Some IPSec algorithms require tradeoffs between high performance and
stronger security. Some algorithms have import and export restrictions that may
delay or prevent implementation of the network.
- Select transforms and, if necessary, transform sets – Use the IPSec
algorithms and parameters previously decided upon to help select IPSec
transforms, transform sets, and modes of operation.
- Identify IPSec peer details – Identify the IP addresses and host names of
all IPSec peers to be connected.
- Determine IP address and applications of hosts to be protected – Decide
which hosts IP addresses and applications should be protected at the local peer
and remote peer.
- Select manual or IKE-initiated SAs – Choose whether SAs are manually
established or are established through IKE.
The goal of this planning step is to gather the precise data that will
be needed in later steps to minimize misconfiguration.
Cisco IOS software
supports the IPSec transforms shown in Figure
.
Authentication Header (AH) is rarely used because authentication is now
available with the esp-sha-hmac and
esp-md5-hmac transforms. AH is also not compatible with NAT
or PAT.
The Cisco IOS command parser prevents invalid combinations from
being entered. For example, after an AH transform is specified, it does not
allow another AH transform to be specified for the current transform set.