Support User Manuals

Cisco Systems OL-16647-01 Network Router User Manual

Open as PDF

of 1230

34-4

Cisco ASDM User Guide

OL-16647-01

Chapter 34 IKE

IKE Policies

–

Key Id String—Type the alpha-numeric string the peers use to look up the preshared key.

• Disable inbound aggressive mode connections—Select to disable aggressive mode connections.

• Alert peers before disconnecting—Select to have the security appliance notify qualified

LAN-to-LAN peers and remote access clients before disconnecting sessions.

• Wait for all active sessions to voluntarily terminate before rebooting—Select to have the

security appliance postpone a scheduled reboot until all active sessions terminate.

Modes

The following table shows the modes in which this feature is available:

IKE Policies

Each IKE negotiation is divided into two sections called Phase1 and Phase 2.

Phase 1 creates the first tunnel, which protects later IKE negotiation messages. Phase 2 creates the tunnel

that protects data.

To set the terms of the IKE negotiations, you create one or more IKE policies, which include the

following:

• A unique priority (1 through 65,543, with 1 the highest priority).

• An authentication method, to ensure the identity of the peers.

• An encryption method, to protect the data and ensure privacy.

• An HMAC method to ensure the identity of the sender, and to ensure that the message has not been

modified in transit.

• A Diffie-Hellman group to establish the strength of the of the encryption-key-determination

algorithm. The security appliance uses this algorithm to derive the encryption and hash keys.

• A limit for how long the security appliance uses an encryption key before replacing it.

If you do not configure any IKE policies, the security appliance uses the default policy, which is always

set to the lowest priority, and which contains the e default value for each parameter. If you do not specify

a value for a specific parameter, the default value takes effect.

When IKE negotiation begins, the peer that initiates the negotiation sends all of its policies to the remote

peer, and the remote peer searches for a match with its own policies, in priority order.

A match between IKE policies exists if they have the same encryption, hash, authentication, and

Diffie-Hellman values, and an SA lifetime less than or equal to the lifetime in the policy sent. If the

lifetimes are not identical, the shorter lifetime—from the remote peer policy—applies. If no match

exists, IKE refuses negotiation and the IKE SA is not established.

Fields

• Policies—Displays parameter settings for each configured IKE policy.

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

• — • ——

previous next