Filter
Top Products
set vpn
Chapter 2 Command Descriptions 237
[isakmp options]
To configure an ISAKMP tunnel, you must configure the settings to match
those on the remote VPN server.
mode=isakmp
Indicates that the settings are for a VPN ISAKMP tunnel. ISAKMP
tunnels specify a list of proposals, or security policies, in order to
negotiate a set of security settings from the remote VPN endpoint.
shared_key={ascii key|hex key}
A key that secures the VPN tunnel. The key can be either an ASCII
value using alphanumeric characters or a hexadecimal value prefixed
by 0x.
To specify security proposals for VPN ISAKAMP tunnels, see "IKE/ISAKMP
SA Phase 2 options" on page 239.
IKE/ISAKMP SA Phase 1 and Phase 2 options
Internet Key Exchange (IKE) negotiates the IPSec security associations
(SA). This process requires that the IPSec systems first authenticate
themselves to each other and establish ISAKMP (IKE) shared keys. The
SAs are relationships between two or more entities or peers that describe
how the entities or peers will use security services to communicate
securely.
IKE negotiations are handled using two different phases.
• Phase 1 is responsible for creating an authenticated and secure
channel between the two peers. Typically, phase one is completed
using a Diffie-Hellman exchange using cryptography.
• Phase 2 is then responsible for negotiating the final SAs and generating
the required keys and key material for IPSec. This is completed by
negotiating one or more sets of security policies, or proposals, between
the two peers until a given set is agreed upon by both peers.
Default Security Policies
The security policies that are negotiated and used in securing the SAs
include the encryption algorithm, authentication algorithm, and the SA
lifetime in seconds. By default, the Digi Cellular Family device includes the
following set of defaults. If these settings do not match the VPN and IKE
SA configuration of the remote peers or if further policies are required,
select Use the following policies to negotiate Internet Key Exchange
(IKE) security settings and add one or more security policies.
Encryption Authentication SA Lifetime
3-DES (192-bit) SHA1 86400 seconds