Support User Manuals

Cisco Systems CL-28826-01 Security Camera User Manual

Open as PDF

of 2616

25-46

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 25 Configuring IKE and IPsec Policies

Understanding IKEv1 Preshared Key Policies in Site-to-Site VPNs

Related Topics

• Understanding IKEv1 Preshared Key Policies in Site-to-Site VPNs, page 25-43

Main Mode Address Use this negotiation method for exchanging key information if the IP

address of the devices is known. Negotiation is based on IP address.

Main mode provides the highest security because it has three two-way

exchanges between the initiator and receiver. Main mode address is the

default negotiation method.

Select one of the following options to define the negotiation address

type:

• Peer Address—Negotiation is based on the unique IP address of

each peer. A key is created for each peer, providing high security.

This is the default.

• Subnet—Creates a group preshared key on a hub in a

hub-and-spoke topology to use for communication with any device

in a specified subnet, even if the IP address of the device is

unknown. Each peer is identified by its subnet. In a point-to-point

or full mesh VPN topology, a group preshared key is created on the

peers. Enter the subnet in the field provided, for example,

10.10.10.0/24.

• Wildcard—Creates a wildcard key on a hub or on a group of hubs

in a hub-and-spoke topology to use when a spoke does not have a

fixed IP address or belong to a specific subnet. In this case, all

spokes connecting to the hub have the same preshared key, which

could compromise security. Use this option if a spoke in your

hub-and-spoke VPN topology has a dynamic IP address. In a

point-to-point or full mesh VPN topology, a wildcard key is created

on the peers.

Note When configuring DMVPN with direct spoke-to-spoke

connectivity, you create a wildcard key on the spokes.

Main Mode FQDN Select this negotiation method for exchanging key information if the IP

address is not known and DNS resolution is available for the devices.

Negotiation is based on DNS resolution, with no reliance on IP address.

Aggressive Mode Available only in a hub-and-spoke VPN topology.

Select this negotiation method for exchanging key information if the IP

address is not known and DNS resolution might not be available on the

devices. Negotiation is based on hostname and domain name.

Note If direct spoke to spoke tunneling is enabled, you cannot use

aggressive mode.

Table 25-9 IKEv1 Preshared Key Page (Continued)

Element Description

previous next