IKE Phase One Policy Parameters

©2000, Cisco Systems,

CSPFA 1.01-7-12

An IKE policy defines a combination of security parameters to be used during the IKE negotiation. A group of policies makes up a "protection suite" of multiple policies that enable IPSec peers to establish IKE sessions and SAs with a minimum of configuration.

Create IKE Policies for a Purpose

IKE negotiations must be protected, so each IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states which security parameters will be used to protect subsequent IKE negotiations.

After the two peers agree upon a policy, the security parameters of the policy are identified by a security association established at each peer, and these security associations apply to all subsequent IKE traffic during the negotiation.

You can create multiple, prioritized policies at each peer to ensure that at least one policy will match a remote peer's policy.

Define IKE Policy Parameters

You can select specific values for each IKE parameter, per the IKE standard. You choose one value over another based on the security level you desire and the type of IPSec peer to which you will connect.

There are five parameters to define in each IKE policy, as outlined in the figure and in the following table. The figure shows the relative strength of each parameter, and the table shows the default values.

IKE Policy Parameters

Parameter

Accepted Values

Keyword

Default

Message encryption algorithm

56-bit DES 168-bit 3DES

des 3des

DES

Message integrity (hash) algorithm

SHA-1 (HMAC variant) MD5(HMAC variant)

sha md5

SHA-1

Peer authentication method

Pre-shared keys RSA signatures

pre-share rsa-sig

RSA signatures

Key exchange parameters (Diffie-Hellman group identifier)

768-bit Diffie-Hellman or 1024-bit Diffie-Hellman

1 2

768-bit Diffie-Hellman

ISAKMP-established security association's lifetime

Can specify any number of seconds

86,400 seconds (1 day)

Note 3DES provides stronger encryption than DES. Some tradeoffs of 3DES are that it takes more processing power, and it may be restricted for export or import into some countries.

Note RSA signatures are used with CA support, and require enrollment to a CA server.

0 0

Post a comment