Ike Parameters; Ike Peer; Negotiation Mode; Digital Certificate - Cisco VPN 3000 User Manual

13
Policy Management

IKE Parameters

These parameters govern IKE SAs, which are Phase 1 SAs negotiated under IPSec, where the two parties
establish a secure tunnel within which they then negotiate the IPSec SAs. In this IKE SA they exchange
automated key management information under the IKE (Internet Key Exchange) protocol (formerly
called ISAKMP/Oakley).
All these parameters (except IKE Peer ) must be configured the same on both parties; the IKE Peer entries
must mirror each other. If you create multiple IPSec SAs for use between two IKE peers, the IKE SA
parameters must be the same on all SAs.
For best performance and interoperability, we strongly recommend that you use the default parameters
where appropriate.

IKE Peer

This parameter applies only to IPSec LAN-to-LAN configurations. It is ignored for IPSec client-to-LAN
configurations.
Enter the IP address of the remote peer VPN Concentrator. Use dotted decimal notation. This must be
the IP address of the public interface on the peer VPN Concentrator.
This IP address must also match the Peer IP Address on the Configuration | System | Tunneling Protocols |
IPSec LAN-to-LAN | Add
connection. When you configure the connection on the Configuration | System | Tunneling Protocols | IPSec
LAN-to-LAN | Add
Name
When you configure this parameter on the remote peer, enter the IP address of this VPN Concentrator;
i.e., the entries must mirror each other.

Negotiation Mode

This parameter sets the mode for exchanging key information and setting up the SAs. It sets the mode
that the initiator of the negotiation uses; the responder auto-negotiates.
Click the drop-down menu button and select the mode:
Aggressive
identity of the communicating parties.
Main
the communicating parties. This mode is more secure and it is the default selection.

Digital Certificate

This parameter specifies whether to use preshared keys or a PKI (Public Key Infrastructure) digital
identity certificate to authenticate the peer during Phase 1 IKE negotiations. See the discussion under
Administration | Certificate Management
Click the drop-down menu button and select the option. The list shows any digital certificates that have
been installed, plus:
None (Use Preshared Keys)
negotiations. This is the default selection.
13-26
or Modify screen. It must also match the Group Name for the LAN-to-LAN
screen, the Manager automatically creates a group with the Peer IP address as the Group
. See Configuration | User Management for information on groups.
= A faster mode using fewer packets and fewer exchanges, but which does not protect the
= A slower mode using more packets and more exchanges, but which protects the identities of
= Use preshared keys to authenticate the peer during Phase 1 IKE
.
VPN 3000 Concentrator Series User Guide