25-43
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding IKEv1 Preshared Key Policies in Site-to-Site VPNs
Understanding IKEv1 Preshared Key Policies in Site-to-Site
VPNs
If you want to use preshared key as your authentication method for IKEv1 negotiations, you must define
a shared key for each tunnel between two peers that will be their shared secret for authenticating the
connection. The key will be configured on each peer. If the key is not the same on both peers of the
tunnel, the connection cannot be established. The peer addresses that are required for configuring the
preshared key are deduced from the VPN topology.
Tip You can also use preshared keys for IKEv2 negotiations, but the configuration is different from the one
used for IKEv1, as are the rules and requirements. For information on configuring preshared keys for
IKEv2 negotiations, see Configuring IKEv2 Authentication in Site-to-Site VPNs, page 25-62.
Preshared keys are configured on spokes. In a hub-and-spoke VPN topology, Security Manager mirrors
the spoke’s preshared key and configures it on its assigned hub, so that the key on the spoke and hub are
the same. In a point-to-point VPN topology, you must configure the same preshared key on both peers.
In a full mesh VPN topology, any two devices that are connected must have the same preshared key.
In a preshared key policy, you can use a specific key, or you can use automatically generated keys for
peers participating in each communication session. Using automatically generated keys (the default
method) is preferred, because security can be compromised if all connections in a VPN use the same
preshared key.
There are three methods for negotiating key information and setting up IKE security associations (SAs):
• Main mode address—Negotiation is based on IP address. Main mode provides the highest security
because it has three two-way exchanges between the initiator and receiver. This is the default
negotiation method.
This method has three options for creating keys:
–
You can create a key for each peer, based on the unique IP address of each peer, providing high
security.
–
You can create a group preshared key on a hub in a hub-and-spoke VPN topology, to be used
for communication with any device in a specified subnet. Each peer is identified by its subnet,
even if the IP address of the device is unknown. In a point-to-point or full mesh VPN topology,
a group preshared key is created on the peers.
–
You can create a wildcard key on a hub in a hub-and-spoke VPN topology, or on a group
containing hubs, to be used for dynamic crypto where a spoke does not have a fixed IP address
or belong to a specific subnet. All spokes connecting to the hub have the same preshared key,
which could compromise security. In a point-to-point or full mesh VPN topology, a wildcard
key is created on the peers.
Enable Default Route Supported on Cisco IOS routers and Catalyst 6500/7600 devices.
When selected, the device uses the configured external interface as the
default outbound route for all incoming traffic.
Table 25-8 VPN Global Settings Page, General Settings Tab (Continued)
Element Description