IKE Policy

IKE Policy

Usage Guidelines

Keywords

Examples

Related Commands

IKE Policy

This section is used to set certain Internet Security Association Key Management Protocol/Internet Key VPN 5000 concentrator and client or LAN-to-LAN tunneling devices will initally identify and authenticate each other so that tunnel sessions can then be established. This initial negotiation is referred to as Phase 1. These Phase 1 security parameters are global to the device and are not associated with a particular interface.

configure IKE Policy

Usage Guidelines

Phase 2 IKE negotiation sets how the VPN 5000 concentrator and client will handle individual tunnel sessions. Phase 2 IKE negotiation parameters for the VPN 5000 Client and server are set in the VPN Group device. Phase 2 negotiation parameters for LAN-to-LAN tunnels may be set in the Tunnel Partner section.

Keywords

After entering the configure command for the section, enter one or more of the following keywords.

Protection = {MD5_DES_G1 | MD5_3DES_G1 | MD5_DES_G2 | MD5_3DES_G2 | SHA_DES_G1 | SHA_3DES_G1 | SHA_DES_G2 | SHA_3DES_G2 }

The Protection keyword specifies a protection suite for the ISAKMP/IKE negotiation between the VPN 5000 concentrator and client, or between VPN routers which have been configured as LAN-to-LAN tunneling devices. This keyword may appear multiple times within this section, in which case the VPN 5000 concentrator or VPN router will propose all of the specified protection suites. The VPN 5000 Client or tunnel peer will accept one of the options for the negotiation.

The first piece of each option is the authentication algorithm to be used for the negotiation.

MD5 is the message-digest 5 hash algorithm.

SHA is the Secure Hash Algorithm, which is considered to be somewhat more secure than MD5.

The second piece is the encryption algorithm.

DES (Data Encryption Standard) uses a 56-bit key to scramble the data.

3DES (Triple DES) uses three different keys and three applications of the DES algorithm to scramble the data.

The third piece is the Diffie-Hellman group to be used for key exchange.

Group 1 (G1) uses a 768-bit algorithm.

Group 2 (G2) uses a 1024-bit algorithm and is more secure than Group 1.

Protection = {MD5_DES_G1 \| MD5_3DES_G1 \| MD5_DES_G2 \| MD5_3DES_G2 \| SHA_DES_G1 \| SHA_3DES_G1 \| SHA_DES_G2 \| SHA_3DES_G2 }	The Protection keyword specifies a protection suite for the ISAKMP/IKE negotiation between the VPN 5000 concentrator and client, or between VPN routers which have been configured as LAN-to-LAN tunneling devices. This keyword may appear multiple times within this section, in which case the VPN 5000 concentrator or VPN router will propose all of the specified protection suites. The VPN 5000 Client or tunnel peer will accept one of the options for the negotiation. The first piece of each option is the authentication algorithm to be used for the negotiation. MD5 is the message-digest 5 hash algorithm. SHA is the Secure Hash Algorithm, which is considered to be somewhat more secure than MD5. The second piece is the encryption algorithm. DES (Data Encryption Standard) uses a 56-bit key to scramble the data. 3DES (Triple DES) uses three different keys and three applications of the DES algorithm to scramble the data. The third piece is the Diffie-Hellman group to be used for key exchange. Group 1 (G1) uses a 768-bit algorithm. Group 2 (G2) uses a 1024-bit algorithm and is more secure than Group 1.

Examples

[ IKE Policy]
Protection 		= MD5_DES_G1
Protection 		= SHA_3DES_G2

Related Commands

Command Description

configure Tunnel Partner

Configures the LAN-to-LAN tunnel parameters

configure VPN Group

Configures the VPN group parameters

Command	Description
configure Tunnel Partner	Configures the LAN-to-LAN tunnel parameters
configure VPN Group	Configures the VPN group parameters

Table of Contents

IKE Policy

Usage Guidelines

Keywords

Examples

Related Commands