25-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Overview of IKE and IPsec Configurations
• Preshared keys—For remote access IKEv1 IPsec VPNs, you define the preshared keys in the
Connection Profiles policy; preshared keys are not supported for IKEv2 in remote access VPNs.
For site-to-site VPNs, you define the keys in the IKEv1 Preshared Keys or the IKEv2
Authentication policy based on the IKE version you are using.
The following topics explain preshared key configuration:
–
IPSec Tab (Connection Profiles), page 30-16
–
Configuring IKEv1 Preshared Key Policies, page 25-44
–
Configuring IKEv2 Authentication in Site-to-Site VPNs, page 25-62
• Public Key Infrastructure Certificate Authority servers—If you configure IKE to use Certificate
Authority (CA) servers, you must configure the Public Key Infrastructure policy. You also use this
policy to define the Public Key Infrastructure for SSL VPNs. For site-to-site VPNs, the policy is
IKEv1 Public Key Infrastructure or IKEv2 Authentication, based on the IKE version you are
using.
The Public Key Infrastructure policy identifies the PKI enrollment object that identifies the
Certificate Authority server. For site-to-site VPNs, you can select a single PKI enrollment object;
for remote access VPNs, you can select all objects needed for your remote access connections.
These trustpoints are then identified in the remote access Connection Profiles policy (on the IPsec
tab).
The following topics explain public key infrastructure configuration:
–
Understanding Public Key Infrastructure Policies, page 25-47
–
Configuring IKEv1 Public Key Infrastructure Policies in Site-to-Site VPNs, page 25-50
–
Defining Multiple IKEv1 CA Servers for Site-to-Site VPNs, page 25-51
–
Configuring Public Key Infrastructure Policies for Remote Access VPNs, page 25-52
–
IPSec Tab (Connection Profiles), page 30-16
–
Configuring IKEv2 Authentication in Site-to-Site VPNs, page 25-62
Step 3 Configure the IPsec Proposal policy. The IPsec Proposal policy defines the IPsec transform set policy
objects used to create a secure IPsec tunnel for the VPN.
The following topics explain how to configure the IPsec Proposal policy:
• Configuring IPsec Proposals in Site-to-Site VPNs, page 25-21
–
Selecting the IKE Version for Devices in Site-to-Site VPNs, page 25-25
–
Configuring IPSec IKEv1 or IKEv2 Transform Set Policy Objects, page 25-25
• Configuring an IPsec Proposal for Easy VPN, page 27-10
• Configuring an IPsec Proposal on a Remote Access VPN Server (ASA, PIX 7.0+ Devices),
page 30-33
• Configuring an IPsec Proposal on a Remote Access VPN Server (IOS, PIX 6.3 Devices), page 32-3
Step 4 Configure the Global Settings policy.
The Global Settings (remote access) and VPN Global Settings (site-to-site) policies define various
ISAKMP, IKEv1, IKEv2, IPsec, NAT, fragmentation, and other settings. These settings have default
values that are frequently adequate, so normally you need to configure the Global Settings policy only
if you want non-default behavior. However, you must configure the policy for remote access IKEv2 IPsec
VPNs, because you must specify a remote access global trustpoint on the IKEv2 Settings tab.
The following topics explain how to configure the Global Settings policy:
• Configuring VPN Global Settings, page 25-29