25-25
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding IPsec Proposals
Selecting the IKE Version for Devices in Site-to-Site VPNs
Use the IKE Version tab in the IPsec Proposal page to select which version of IKE to use for each device
in a hub-and-spoke or full mesh site-to-site VPN. This tab appears only in the Site-to-Site VPN Manager;
you cannot configure the options in Policy view, because they are specific to the actual devices in a VPN
topology.
The IKE Version tab contains two lists: IKEv1 Enabled Peers and IKEv2 Enabled Peers. When you
configure the IPsec proposal, as described in Configuring IPsec Proposals in Site-to-Site VPNs,
page 25-21, you select which IKE versions to allow in the VPN (version 1, version 2, or both). Security
Manager automatically chooses which IKE version to use for a device based on the OS version used by
the device. For example, IOS routers always appear in the IKEv1 Enabled Peers list. If a device supports
both IKEv1 and IKEv2, it appears in both lists.
You need to alter the selection only if you are allowing both IKE versions in a VPN and you want to
specifically prevent some IKEv2-capable devices from using one of the IKE versions.
To change which IKE version is allowed for a device, click the Select button beneath the list from which
you want to remove the device (or to add the device after previously removing it). A selection dialog box
opens where you can do the following (click OK to confirm your choices):
• To remove a device, so that it cannot use the IKE version, highlight it in the Selected Peers list and
click << to move it to the Available Peers list.
• To add a device, so that it is allowed to use the IKE version, highlight it in the Available Peers list
and click >> to move it to the Selected Peers list.
Tip The selection lists include only those devices that support both IKE versions, because you cannot change
the version selection for devices that support a single version. IKEv2 is supported on ASA Software
8.4(1)+.
Navigation Path
(Site-to-Site VPN Manager Window, page 24-18) Select a non-Easy VPN topology in the VPNs selector,
then select IPsec Proposal in the Policies selector. Click the IKE Version tab.
Related Topics
• Understanding IKE, page 25-5
• Understanding IPsec Proposals for Site-to-Site VPNs, page 25-18
Configuring IPSec IKEv1 or IKEv2 Transform Set Policy Objects
Use the Add or Edit IPSec Transform Set dialog box to configure IPSec transform sets for use in IKE
negotiations.
You can create IPSec transform set objects for use in IPSec proposals when defining IPSec-protected
traffic in site-to-site and remote access VPNs. During IPSec security association negotiation, the peers
agree to use a particular transform set when protecting a particular data flow.
Two different security protocols are included within the IPSec standard:
• Encapsulating Security Protocol (ESP)—Provides authentication, encryption, and anti-replay
services. ESP is IP protocol type 50.