Step 2Determine IPSec IKE Phase 2 Policy

Determine the following policy details:

* IPSec algorithms and parameters for optimal security and performance

* Transforms and, if necessary, transform sets

* IPSec peer details

* IP address and applications of hosts to be protected

* Manual or IKE-initiated SAs

Goal: Minimize misconfiguration

© 2004 Cisco Systems, Inc. All rights reserved. bcran v2.1—5-5

An IPSec policy defines a combination of IPSec parameters that are used during the IPSec negotiation. Planning for IPSec (IKE Phase 2) is another important step you should complete before actually configuring IPSec on a Cisco router. Policy details to determine at this stage include:

■ Select IPSec algorithms and parameters for optimal security and performance:

Determine what type of IPSec security to use when securing interesting traffic. Some IPSec algorithms require that you make tradeoffs between high performance and stronger security. Some algorithms have import and export restrictions that may delay or prevent implementation of your network.

■ Select transforms and, if necessary, transform sets: Use the IPSec algorithms and parameters previously decided upon to help select IPSec transforms, transform sets, and modes of operation.

■ Identify IPSec peer details: Identify the IP addresses and host names of all IPSec peers to which you will connect.

Determine IP address and applications of hosts to be protected: Decide which IP addresses and applications of hosts should be protected at the local peer and remote peer.

Select manual or IKE-initiated SAs: Choose whether SAs are manually established or are established via IKE.

The goal of this planning step is to gather the precise data that you will need in later steps to minimize misconfiguration.

0 0

Post a comment