Table of Contents
Advertisement
You must create multiple, prioritized policies at each peer to ensure that at least one policy will match a
remote peer's policy.
2. What Parameters Do You Define in a Policy
There are five parameters to define in each IKE policy:
Parameter
encryption algorithm
hash algorithm
authentication
method
Diffie-Hellman
group identifier
security
association's
lifetime
3. How Do IKE Peers Agree upon a Matching Policy
When the IKE negotiation begins, IKE looks for an IKE policy that is the same on both peers. The peer
that initiates the negotiation will send all its policies to the remote peer, and the remote peer will try to
find a match. The remote peer looks for a match by comparing its own highest priority policy against the
other peer's received policies. The remote peer checks each of its policies in order of its priority
(highest priority first) until a match is found.
A match is made when both policies from the two peers contain the same encryption, hash,
authentication, and Diffie-Hellman parameter values, and when the remote peer's policy specifies a
lifetime less than or equal to the lifetime in the policy being compared.
If no acceptable match is found, IKE refuses negotiation and IPSec will not be established.
If a match is found, IKE will complete negotiation, and IPSec security associations will be created.
Note:
Depending on which authentication method is specified in a policy, additional configuration might be required
4. Which Value Should You Select for Each Parameter
The encryption algorithm has two options: 56-bit DES-CBC and 168-bits 3DES-CBS, the latter is more
security.
The hash algorithm has two options: SHA-1 and MD5. MD5 has a smaller digest and is considered to
be slightly faster than SHA-1. There has been a demonstrated successful (but extremely difficult) attack
against MD5; however, the HMAC variant used by IKE prevents this attack.
The authentication method has three options: RSA signatures, RSA encrypted nonces, and pre-shared
keys. Currently only pre-shared keys are supported.
The Diffie-Hellman group identifier has two options: 768-bit or 1024-bit Diffie-Hellman. 1024-bit
Diffie-Hellman is harder to crack, but requires more CPU time to execute.
The security association's lifetime can be set to any value. As a general rule, the shorter the lifetime (up
to a point), the more secure your IKE negotiations will be. However, with longer lifetimes, future IPSec
security associations can be set up more quickly. For more information about this parameter and how it
is used, see the command description for the lifetime (IKE policy) command.
Model Name
Accepted Values
56-bits DES-CBC
168-bits 3DES-CBC
SHA-1
MD5
pre-shared keys
RSA signatures
RSA encrypted nonces
768 bytes Diffie-Hellman
1024 bytes Diffie-Hellman
can specify any number
of
seconds
from
60
seconds
to
86400
seconds
- 376 -
Keyword
des
56-bits DES-CBC
3des
sha
SHA-1
md5
pre-share
rsa-sig
pre-shared keys
rsa-encr
1
768 bytes Diffie-Hellman
2
-
86400 second (one day)
Default Value
Hide quick links:
Advertisement
Table of Contents
