Create Ike Policies - Motorola WS5100 Series Migration Giude

• Allows you to specify a lifetime for the IPSec security association.
• Allows encryption keys to change during IPSec sessions.
• Permits Certification Authority (CA) support for a manageable, scalable IPSec implementation.
• Allows dynamic authentication of peers.
If you do not want IKE to be used with your IPSec implementation, you can disable it for all IPSec peers.
NOTE: IKE must be enabled or disabled at all IPSec peers; you cannot have a mix of IKE-
enabled and IKE-disabled peers within your IPSec network you must manually specify all
the IPSec security associations in the crypto maps at all peers.
To configure IKE, perform the following steps:

• Create IKE Policies

• Configure Pre-Shared Keys
• Enable IKE
3.4.3.1 Create IKE Policies
An IKE policy must be established identically on both the peers including the pre-shared key. An IKE policy
defines a combination of security parameters to be used during the IKE negotiation. Before configuring a
crypto policy five parameters must be decided upon by both ends of the VPN tunnel. If any of these
parameters do not match, the VPN tunnel cannot be established.
NOTE: Only main mode of IKE negotiation will be supported.
These are the five parameters to define in each IKE policy:
Parameter
Encryption algorithm
Hash Algorithm
Authentication Method
Security Association's Lifetime
Accepted Values
56-bit DES-CBC
128-bit AES
SHA-1 (HMAC variant)
MD5 (HMAC variant)
Pre-Shared Keys
CA-Certificate
Can specify any number of seconds
Use Cases
Keyword Default Value
Des 56-bit DES-CBC
Aes
sha SHA-1 (HMAC variant)
md5
pre-share Pre-Shared Keys
cert
- 86400 seconds (one day)
3-21