About Ike Policy Negotiation - Cisco AP775A - Nexus Converged Network Switch 5010 Configuration Manual

Manually Configuring IPsec and IKE
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
•

About IKE Policy Negotiation

To protect IKE negotiations, each IKE negotiation begins with a common (shared) IKE policy. An IKE
policy defines a combination of security parameters to be used during the IKE negotiation. By default,
no IKE policy is configured. You must create IKE policies at each peer. This policy states which security
parameters will be used to protect subsequent IKE negotiations and mandates how peers are
authenticated. You can create multiple, prioritized policies at each peer to ensure that at least one policy
will match a remote peer's policy.
You can configure the policy based on the encryption algorithm (DES, 3DES, or AES), the hash
algorithm (SHA or MD5), and the DH group (1, 2, or 5). Each policy can contain a different combination
of parameter values. A unique priority number identifies the configured policy. This number ranges from
1 (highest priority) to 255 (lowest priority). You can create multiple policies in a switch. If you need to
connect to a remote peer, you must ascertain that at least one policy in the local switch contains the
identical parameter values configured in the remote peer. If several policies have identical parameter
configurations, the policy with the lowest number is selected.
Table 44-1
Table 44-1
Parameter
encryption algorithm
hash algorithm
authentication method
DH group identifier
The following table lists the supported and verified settings for IPsec and IKE encryption authentication
algorithms on the Microsoft Windows and Linux platforms:
Platform
Microsoft iSCSI initiator,
Microsoft IPsec implementation
on Microsoft Windows 2000
platform
Cisco iSCSI initiator,
Free Swan IPsec implementation
on Linux platform
Cisco MDS 9000 Family Fabric Manager Configuration Guide
44-14
IKE version 2 (IKEv2) is a simplified and more efficient version and does not interoperate with
IKEv1. IKEv2 is implemented using the draft-ietf-ipsec-ikev2-16.txt draft.
provides a list of allowed transform combinations.
IKE Transform Configuration Parameters
Accepted Values
56-bit DES-CBC
168-bit DES
128-bit AES
SHA-1 (HMAC variant)
MD5 (HMAC variant)
Preshared keys
768-bit DH
1024-bit DH
1536-bit DH
IKE
3DES, SHA-1 or MD5,
DH group 2
3DES, MD5, DH group 1
Chapter 44 Configuring IPsec Network Security
Keyword Default Value
des 3des
3des
aes
sha sha
md5
Not configurable Preshared keys
1 1
2
5
IPsec
3DES, SHA-1
3DES, MD5
OL-17256-03, Cisco MDS NX-OS Release 4.x