Cisco CRS-1 - Carrier Routing System Router Configuration Manual page 116

Information About Implementing IKE Security Protocol Configurations for IPSec Networks
If no acceptable match is found, IKE refuses negotiation and IPSec is not established. (See related
information in the
If a match is found, IKE completes negotiation, and an ISAKMP security association (SA) is created.To
establish an ISAKMP SA pre-shared key or certificate, a match must be configured. Without a match,
no ISAKMP SA can be established.
Note Depending on which authentication method is specified in a policy, additional configuration might be
required (as described in the
If a peer's policy does not have the required companion configuration, the peer does not submit the
policy when attempting to find a matching policy with the remote peer.
Limitation of an IKE Peer to a Specific Set of Policies
Cisco VPN clients are preconfigured with all available policies, and propose all of these policies when
connecting to the hub. The hub must then select the "first-match" policy. However, some users may have
a need to restrict the use of strong encryption algorithms between the local and remote peer when they
connect through the IPSec gateway. Because the Cisco VPN client does not allow users to choose which
policy (and therefore which encryption algorithm) to use, these users may instead configure policy sets
that in effect create such restrictions. Matches between peer and policy set are then restricted or allowed,
based on a match with the local IP address (or tunnel source configured at the SVI) identified in the
policy set.
For example, an IPSec hub is configured with six policies, but the policy set is configured with only three
of these six. When a remote client tries to initiate a tunnel and refers to this SVI tunnel source address,
the policy set is matched. IKE looks for a match among the three policies dictated by the policy set,
starting from the highest to the lowest priority number (the lower the number, the higher the priority). If
no match exists among these three policies, no tunnel can be established.
If a remote peer tries to connect to an SVI, whose local IP address does not restrict it to certain IKE
policies, then the default behavior described under
operational.
You may configure up to five ISAKMP policies within a single policy set.
For information about how to limit an IKE peer to a specific set of policies, see
Use a Specific Policy Set, page 119
Value Selection for Parameters
You can select certain values for each parameter, following the IKE standard. But why choose one value
over another?
If you are interoperating with a device that supports only one of the values for a parameter, your choice
is limited to the value supported by the other device. Aside from this, a trade-off between security and
performance often exists, and many of these parameter values represent such a trade-off. You should
evaluate the level of security risks for your network and your tolerance for these risks. Then the
following tips might help you select which value to specify for each parameter:
•
•
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
SC-110
"Limitation of an IKE Peer to a Specific Set of Policies"
"Additional Configuration Required for IKE Policies" section on page
The encryption algorithm has five options: 56-bit DES-CBC, 168-bit DES, 128-bit AES, 192-bit
AES, and 256-bit AES.
The hash algorithm has two options: SHA-1 and MD5.
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software
"IKE Peer Agreement for Matching Policies"
of this module.
section.)
112).
is
Limiting an IKE Peer to
OL-20382-01