Prepare a Router for Site-to-Site VPN using Pre-shared Keys
Step 1 – Determine ISAKMP (IKE Phase 1) policy

The IKE policy details to enable the selected authentication method need to be determined, and then configured. Having a detailed plan lessens the chances of improper configuration. Some planning steps include the following:

  • Determine the key distribution method – Determine the key distribution method based on the numbers and locations of IPSec peers. For a small site-to-site VPN networks, it may be best to manually distribute keys. For larger networks, it may be necessary to use a CA server to support scalability of IPSec peers. Internet Security Association Key Management Protocol (ISAKMP) must be configured to support the selected key distribution method.
  • Determine the authentication method – Choose the authentication method based on the key distribution method. Cisco IOS software supports either pre-shared keys, RSA encrypted nonces, or RSA signatures to authenticate IPSec peers. This lesson focuses on using pre-shared keys.
  • Identify IP addresses and host names of the IPSec peers – Determine the details of all of the IPSec peers that will use ISAKMP and pre-shared keys for establishing security associations (SAs). This information will be used to configure IKE.
  • Determine ISAKMP policies for peers – An ISAKMP policy defines a combination or suite of security parameters to be used during the ISAKMP negotiation. Each ISAKMP negotiation begins by each peer agreeing on a common, or shared, ISAKMP policy. The ISAKMP policy suites must be determined in advance of configuration. IKE must then be configured to support the policy details that have been determined. Some ISAKMP policy details include:
    • Encryption algorithm
    • Hash algorithm
    • IKE SA lifetime

The goal of this planning step is to gather the precise data that will be needed in later steps to minimize configuration errors.

An IKE policy defines a combination of security parameters used during the IKE negotiation. A group of policies makes up a protection suite of multiple policies that enable IPSec peers to establish IKE sessions and establish SAs with a minimal configuration.

Create IKE policies for a purpose
IKE negotiations must be protected, so each IKE negotiation begins by each peer agreeing on a shared IKE policy. This policy states which security parameters will be used to protect subsequent IKE negotiations.

After the two peers agree upon a policy, an SA established at each peer identifies the security parameters of the policy. These SAs apply to all subsequent IKE traffic during the negotiation.

Multiple, prioritized policies can be created at each peer to ensure that at least one policy will match a policy configured on a remote peer.

Define IKE policy parameters
Specific values for each IKE parameter can be selected, as outlined in the IKE standard. Choose one value over another based on the security level desired and the type of IPSec peer that will be connected to.

There are five parameters to define in each IKE policy as outlined in Figures and . Figure shows the relative strength of each parameter, and Figure shows the default values.