Determine IKE Phase One Policy

PIX1

PIX2

Site 1

PIX1

PIX2

Site 1

Site 2

Site 2

©2000, Cisco Systems,

CSPFA 1.01-7-13

©2000, Cisco Systems,

CSPFA 1.01-7-13

An IKE policy defines a combination of security parameters to be used during the IKE negotiation. A group of policies makes up a "protection suite" of multiple policies that enable IPSec peers to establish IKE sessions and SAs with a minimum of configuration.

You should determine IKE policy details for each IPSec peer before configuring IKE. The figure shows a summary of some IKE policy details that will be configured in the examples in this chapter.

Plan for IPSec

ÎL

Planning includes the following:

Select IPSec algorithms and parameters for optimal security and performance.

M Identify IPSec peer PIX details.

f Determine IP addresses and applications of hosts to be protected.

^M Select manual or IKE-initiated SAs.

Goal: Minimize misconfiguration

© 2000, Cisco Systems, Inc.

WWW.cisco.com cspfa 1.01-7-14

Planning for IPSec (IKE phase two) is another important step you should complete before actually configuring the PIX Firewall. Items to determine at this stage include the following:

■ Select IPSec algorithms and parameters for optimal security and performance. You should determine what type of IPSec security will be used to secure interesting traffic. Some IPSec parameters require you to make tradeoffs between high performance and stronger security.

■ Identify IPSec peer details. You must identify the IP addresses and hostnames of all IPSec peers you will connect to.

■ DetermindP addresses and applications of hosts to be protected at the local peer and remote peer.

■ Decide whether security associations are manually established or are established via IKE.

Note IPSec security associations can be configured manually, but is not recommended because IKE is easier to configure.

The goal of this planning step is to gather the precise data you will need in later steps to minimize misconfiguration.

0 0

Post a comment