Filter
Top Products
25-9
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding IKE
Related Topics
• Understanding IKE, page 25-5
• Configuring an IKE Proposal, page 25-9
Configuring an IKE Proposal
In Security Manager, an IKE proposal is a mandatory policy when you configure a site-to-site or remote
access IPsec VPN. When you use the configuration wizard to create a new IPsec VPN, an IKE Proposal
policy is automatically assigned to the VPN; the policy might be the factory default, or it might be a
shared policy specifically selected for the VPN. For more information about the IKE (Internet Key
Exchange) key management protocol, see Understanding IKE, page 25-5.
Use the IKE Proposal policy to examine the current IKE proposals and to configure new proposals except
for GET VPN topologies. For GET VPN, see Configuring the IKE Proposal for GET VPN, page 28-15.
Tips
• For site-to-site VPNs, you can select at most one IKE proposal per IKE version. For remote access
IPsec VPNs, you can select multiple proposals for each IKE version; select all IKE proposals that
are allowed in the remote access VPN.
• To configure IKEv2 (version 2), the device must be an ASA running ASA Software release 8.4(1)
or higher.
• The IPsec Proposal policy must enable IKEv1, IKEv2, or both, to match the IKE proposals you
configure in this policy. In cases where you cannot configure IKEv2 in the IPsec proposal, such as
in Easy VPN topologies, IKEv2 is not supported. For more information, see Understanding IPsec
Proposals, page 25-17.
• The IKEv1 Proposal objects specify whether preshared keys or certificates are used for
authentication. You must configure the appropriate policies to configure preshared keys or Public
Key Infrastructure settings. For IKEv2, the object does not specify whether preshared keys or
certificates are used, but other policies must define the authentication requirements. For more
information, see Deciding Which Authentication Method to Use, page 25-8.
Related Topics
• Deciding Which Hash Algorithm to Use, page 25-6
• Deciding Which Diffie-Hellman Modulus Group to Use, page 25-7
• Deciding Which Authentication Method to Use, page 25-8
Step 1 Do one of the following to open the IKE Proposal policy based on the type of VPN you are configuring:
• For remote access VPNs, do one of the following:
–
(Device View) Select Remote Access VPN > IPSec VPN > IKE Proposal from the Policy
selector.
–
(Policy View) Select Remote Access VPN > IPSec VPN > IKE Proposal from the Policy Type
selector. Select an existing policy or create a new one.
• For site-to-site VPNs, do one of the following:
–
Open the Site-to-Site VPN Manager Window, page 24-18, select a topology (other than GET
VPN) in the VPNs selector, then select IKE Proposal in the Policies selector.