|
|
The IPSec Tunnel Templates branch of the Tools and Services tree is where you define, store, and modify your tunnel templates. You can also create folders on the branch in which to organize your tunnel templates.
IPSec Tunnel Templates contain the security parameters used by the tunnel groups to negotiate and configure tunnels. You can define two types of IPSec Tunnel Templates: Internet Key Exchange (IKE) tunnel templates and manual tunnel templates. IKE tunnel templates define the algorithms used for key exchange negotiation as well as the protocols and algorithms used for authentication and/or encryption of the data, while manual tunnel templates only define the protocol for authentication and/or encryption of the data, because the key is already known.
 |
Note You cannot use manual crypto maps with devices running IOS versions v12.0(7)T and v12.0(5)XE5. Refer to Release Notes for Cisco Secure Policy Manager Version 2.1 for more information. |
The IPSec Tunnel Templates branch is pre-populated with three organizational folders, the Highly Secure IKE folder, the Secure IKE folder, and the Highly Secure Manual folder. Each folder contains several example tunnel templates that you can use as is, modify, or delete.
IPSec Tunnel Templates are one component in Cisco Secure Policy Manager's implementation of IPSec security associations. They define how IPSec tunnels are negotiated between tunnel peers.
IPSec Tunnel Templates are used in conjunction with IPSec Tunnel Groups (located in the Network Policy Tree). When two peers attempt to create a tunnel, they must do so using the same protocols, algorithms, and keys or the tunnel cannot be created. Each tunnel group is associated with a single tunnel template, which provides the key negotiation (for IKE tunnels) and the authentication and/or encryption protocols and algorithms to each tunnel peer in the tunnel group, ensuring that the peers are using the same protocols and algorithms when attempting to create an IPSec tunnel.
Cisco Secure Policy Manager divides the IPSec security association information in the tunnel template between two panels, the General panel and the Protocol panel. The General panel contains the algorithms and protocols used for key negotiation in IKE tunnels. For manual tunnels, the General panel does not contain any user-configurable settings because manual tunnels are based on a shared key rather than a negotiated key. The Protocol panel contains the settings for authentication and encryption.
The IPSec Tunnel Templates branch is pre-populated with three organizational folders: the Highly Secure IKE folder, the Highly Secure Manual folder, and the Secure IKE folder. Each folder contains several example tunnel templates that you can use as is, modify, or delete. For information about these folders, refer to the Highly Secure IKE Folder, the Highly Secure Manual Folder, and the Secure IKE Folder topics in this section.
You can safely modify these templates without affecting Cisco Secure Policy Manager, or use them as is. If this is your first time to use Cisco Secure Policy Manager, you may want to use these templates as practice templates to become familiar with IPSec Tunnel Groups.
The Highly Secure IKE folder contains four pre-configured IPSec Tunnel Templates. The encryption and/or authentication protocols and algorithms used by the templates are shown to the right of the template name:
The Highly Secure Manual folder contains two pre-configured example IPSec Tunnel Templates. The encryption and/or authentication protocols and algorithms used by the templates are shown to the right of the template name:
The Secure IKE folder contains four pre-configured IPSec Tunnel Templates. The encryption and/or authentication protocols and algorithms used by the templates are shown to the right of the template name:
You can perform the following tasks from the IPSec Tunnel Templates branch. For step-by-step procedures on performing a specific task, refer to the corresponding section.
You can perform the following task from the General panel of the IPSec Tunnel Template:
You can perform the following task from the Protocol panel of the IPSec Tunnel Template:
To create a new IPSec Tunnel Template, perform the following task:
Step 2 Right-click the IPSec Tunnel Templates branch icon or the icon of the folder in which you want to create the new tunnel template.
Step 3 Point to New, and then to IPSec Tunnel Template, and then click Manual Tunnel Template or IKE Tunnel Template, depending upon the type of template you need to create.
Result: A new node representing the new IPSec Tunnel Template appears under the IPSec Tunnel Templates branch (or folder on the branch) in the Navigator pane, and the General and Protocol panels for the template appear in the View pane. The default name of the template is automatically selected for renaming.
Step 4 Type the new name in the Name box, and then press Enter.
Result: The name appears beside the new node in the Navigator pane.
 |
Tips If you cannot edit the name, right-click the new IPSec Tunnel Template icon and click Rename on the shortcut menu. |
Step 5 To learn how to configure the tunnel template by setting the security methods and protocols, refer to the following topics.
Step 6 To save your changes and close both the General and Protocol panels, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
Modifying a tunnel template enables you to change the key negotiation algorithms (for IKE tunnel templates), or the authentication/encryption protocol or algorithm for a particular tunnel group without having to create a new tunnel template and applying it to the group.
To modify an IPSec Tunnel Template, perform the following task:
Step 2 Right-click the IPSec Tunnel Template node, point to Properties, and then click General to modify the IKE negotiation settings or click Protocol to modify the authentication and/or encryption algorithms and settings.
Step 3 To learn how to configure the tunnel template by setting the security methods and protocols, refer to the following topics.
Step 4 To save your changes and close both the General and Protocol panels, click OK.
Step 5 To save any changes you have made, click Save on the File menu.
The General panel contains only user-configurable settings for IKE Tunnel Templates. The settings are used to define the IKE key negotiation between tunnel peers.
For Manual Tunnel Templates, the IKE settings are not displayed in the General panel; only the template name and type are displayed.
You might modify the General panel for an IKE IPSec Tunnel Template to increase or decrease the authentication or encryption strength of an IKE negotiation. Increasing the authentication or encryption strength results in stronger security, yet slower performance, for the IKE negotiation. Decreasing the authentication or encryption strength results in a faster performance, yet a higher security risk.
To modify the General panel settings, perform the following task:
|
Note This task is performed from the General panel of the selected IPSec Tunnel Template. If the General panel does not appear in the View pane, right-click the icon of the tunnel template to be modified, select Properties from the shortcut menu, and then click General. |
Result: The hash algorithm is set for SHA for strong authentication or MD5 for basic authentication.
Step 2 To change the key exchange algorithm, click one of the values in the Diffie-Hellman group ID list under IKE Tunnel Options.
Result: The hash algorithm is set for Diffie-Hellman group ID 1 for basic encryption or Diffie-Hellman group ID 2 for strong encryption.
Step 3 To change the authentication method, click one of the values in the IKE Tunnel Options list.
Result: The authentication method is set for Certificate (RSA Encryption) for strong authentication, Certificate (RSA Signature) for basic authentication, or Shared Secret for basic authentication.
Step 4 To change the encryption algorithm, click one of the values in the Encryption Algorithm list.
Result: The encryption algorithm is set to either DES for basic encryption or triple DES for strong encryption.
Step 5 To specify a time, in seconds, after which the IKE session renegotiates, enter a numeric value expressed in hh:mm notation into the Renegotiate IKE after box. If you do not want to restrict the length of an IKE session, you can disable this timeout by specifying zero (0) as the value.
Step 6 To save your changes and close the General panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
For a manual tunnel, you can select only one AH protocol and associated algorithm and one ESP protocol and associated algorithm for the tunnel template. For an IKE tunnel, you can create up to three proposals that each contain AH and ESP protocols. When you specify more than one proposal, the first proposal in the list is negotiated first. If the receiving tunnel endpoint cannot support the protocols in the first proposal, the second proposal is attempted, and so on down the list. If the two tunnel endpoints cannot negotiate a set of compatible protocols, the IPSec session is dropped.
You might modify the Protocol panel for an IKE IPSec Tunnel Template to increase or decrease the authentication or encryption strength of an IKE renegotiation. Increasing the authentication or encryption strength results in stronger security, yet slower performance, for the IKE renegotiation. Decreasing the authentication or encryption strength results in a faster performance, yet a higher security risk, during the IKE renegotiation.
To modify the Protocol panel settings, perform the following task:
|
Note This task is performed from the Protocols panel of the selected IPSec Tunnel Template. If the Protocols panel does not appear in the View pane, right-click the icon of the tunnel template to be modified, select Properties from the shortcut menu, and then click Protocols. |
|
Note Before you add a security protocol to a manual IPSec Tunnel Template proposal, you may have to remove the pre-populated security protocol from the current proposal, and then add the security protocol you prefer. To remove a security protocol from the current proposal, select one protocol from the IKE Negotiable Protocols or Manual Protocol box, and then click Remove. |
Result: The security protocol is added to the proposal.
Step 2 To add additional proposals for IKE negotiation, click New Proposal in the Protocol panel of an IKE IPSec Tunnel Template.
|
Note The option of adding an additional proposal is not available for the Manual Protocol box in the Protocol panel of manual IPSec Tunnel Templates. For manual IPSec Tunnel Templates, only one proposal can be specified because no IKE renegotiations occur. |
Result: The additional proposal appears in the IKE Negotiable Protocols box in the Protocol panel of the IKE IPSec Tunnel Template. The first proposal in the list is the most preferred proposal; the tunnel peers will attempt to negotiate a tunnel with those settings first. If that proposal cannot be negotiated, the peers will attempt to negotiate the second proposal, and then the third.
Step 3 To remove an unwanted proposal from an IKE negotiation, click the proposal to select it, and then click Remove.
Result: The unwanted proposal, and the protocols that it contains, is removed from the IKE Negotiable Protocols box.
Step 4 To change a proposal's priority in a list of more than one proposal, click a proposal in the IKE Negotiable Protocols box in the Protocol panel of an IKE IPSEc Tunnel Template. Then, click Move Up to increase the proposal's priority, or Move Down to decrease the proposal's priority.
|
Note Prioritizing proposals is not available for the Manual Protocol box in the Protocol panel of manual IPSec Tunnel Templates. For manual IPSec Tunnel Templates, only one proposal can be specified because no IKE renegotiations occur. |
Result: The proposal becomes either first, second, or third priority in the IKE Negotiable Protocols box in the Protocol panel of the IKE IPSec Tunnel Template.
Step 5 To specify a period of time to elapse and/or a number of kilobytes to transfer before a renegotiation of the IPSec session keys occurs, enter one or both of the following values under Renegotiate Protocol after.
Two values are possible:
Result: The IPSec session keys will renegotiate after the period of time elapses or the number of kilobytes transfer as specified. When both values are set, renegotiation occurs when either value (Time or KBytes) is met.
Step 6 To change the perfect forward secrecy encryption strength, click one of the values in the Perfect Forward Secrecy list.
Three perfect forward secrecy encryption values are available:
Result: Perfect forward secrecy is either enabled with strong encryption or basic encryption, or disabled.
Step 7 To save your changes and close the Protocol panel, click OK.
Step 8 To save any changes that you have made, click Save on the File menu.
Posted: Thu May 25 13:37:14 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.