Security Policy Considerations; Configuring Policy - Enterasys Security Router X-PeditionTM User Manual

More than one IKE proposal can be specified on each node. When IKE negotiation begins, it seeks
a common proposal on both peers with identical parameters. IKE policy is configured using the
crypto isakmp peer
matches the IP address of the peer. The wildcard 0.0.0.0 0.0.0.0 may be used to match any peer.
Configurable IKE policy values are:
– IKE peer address/subnet
– IKE proposal list
– Client or server Mode-config
– Main or aggressive IKE exchange mode (outbound tunnels only)
– User-defined identification (with aggressive mode only)
– Enable or disabled NAT automatic options
Transform-sets used for IPSec are created by the
can choose AH, ESP, or IP compression values as follows:
– MD5-HMAC or SHA-HMAC hashing algorithms
– 3DES, AES or DES encryption
– MD-5 or SHA-1 hash algorithms

Security Policy Considerations

Be aware of these considerations when configuring security policy:
• DES is a weaker form of encryption than 3DES and provides a lower level of security than the
newer algorithm. We recommend 3DES.
• Selecting any Perfect Forward Secrecy (PFS) option will make each generated key used in data
encryption independent of previous keys. If the key is compromised, the next key generated
by Phase 2 exchange cannot be determined by knowing the value of the previous key. This
comes at the cost of slightly lower performance.
• Two IPSec encapsulation modes are supported but the default, tunnel mode, is typically used
with VPNs because it is more inclusive.
• It is useful to specify a user ID instead of an IP address when configuring an SA in aggressive
mode (with pre-shared keys) for a peer whose IP address is dynamic. If you specify no ID, its
IP address will be used by default. But, in that case, you will have to re-configure (with a new
entry in the
the user-id

Configuring Policy

The following example defines simple IKE Phase I, remote peer and IPSec transform-sets.
Configure the IKE proposal try1:
XSR(config)#crypto isakmp proposal try1
XSR(config-isakmp)#authentication pre-share
XSR(config-isakmp)#encryption aes
XSR(config-isakmp)#hash md5
XSR(config-isakmp)#group 5
XSR(config-isakmp)#lifetime 40000
command. Specified parameters are effective when a peer address/subnet
aaa user
database) both ends of the tunnel every time the address changes. Use
command instead.
crypto ipsec transform-set
VPN Configuration Overview
command. You
XSR User's Guide 14-23