25-8
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding IKE
Related Topics
• Understanding IKE, page 25-5
• Configuring an IKE Proposal, page 25-9
Deciding Which Authentication Method to Use
Security Manager supports two methods for peer device authentication in a VPN communication:
• Preshared Key—Preshared keys allow for a secret key to be shared between two peers and to be
used by IKE during the authentication phase. The same shared key must be configured at each peer
or the IKE SA cannot be established.
To use IKE successfully with this device authentication method, you must define various preshared
key parameters. For more information, see the appropriate topic:
–
Site-to-site VPN, IKEv1 configuration—See Configuring IKEv1 Preshared Key Policies,
page 25-44.
–
Site-to-site VPN, IKEv2 configuration—See Configuring IKEv2 Authentication in Site-to-Site
VPNs, page 25-62.
–
Remote access IPsec VPN, IKEv1—Configured on the IPsec tab of the connection profile. See
IPSec Tab (Connection Profiles), page 30-16.
–
Remote access IPsec VPN, IKEv2—You cannot use preshared keys when using IKEv2 in a
remote access IPSec VPN. You must use certificates.
• Certificate—An authentication method in which RSA key pairs are used to sign and encrypt IKE
key management messages. Certificates provide non-repudiation of communication between two
peers, meaning that it can be proved that the communication actually took place. When using this
authentication method, peers are configured to obtain digital certificates from a Certification
Authority (CA). CAs manage certificate requests and issue certificates to participating IPsec
network devices. These services provide centralized key management for the participating devices.
While the use of preshared keys does not scale well, using a CA does improve the manageability and
scalability of your IPsec network. With a CA, you do not need to configure keys between all
encrypting devices. Instead, each participating device is registered with the CA, and requests a
certificate from the CA. Each device that has its own certificate and the public key of the CA can
authenticate every other device within a given CA’s domain.
To use IKE successfully with the Certificate authentication method, you must define parameters for
CA authentication and enrollment. For more information, see the appropriate topic:
–
Site-to-site VPN, IKEv1 configuration—See Understanding Public Key Infrastructure Policies,
page 25-47.
–
Site-to-site VPN, IKEv2 configuration—Configuring IKEv2 Authentication in Site-to-Site
VPNs, page 25-62.
–
Remote access IPsec VPN, IKEv1—Configured on the IPsec tab of the connection profile as
explained in IPSec Tab (Connection Profiles), page 30-16. You must also configure the Public
Key Infrastructure policy with the same trustpoint; see Understanding Public Key Infrastructure
Policies, page 25-47.
–
Remote access IPsec VPN, IKEv2—Configure the global trustpoint on the IKEv2 Settings tab
of the Global Settings policy as explained in Configuring VPN Global IKEv2 Settings,
page 25-34. You must also configure the Public Key Infrastructure policy with the same
trustpoint; see Understanding Public Key Infrastructure Policies, page 25-47.