Configuring IKE
Remember that IKE is the method used by the peers to negotiate and establish the SA.
Determining which IKE configuration to use is not difficult. Most companies have a standard
configuration that they employ when creating any VPN connection. If you do not have a
preestablished policy, you should select a policy that allows your minimum amount of
security to be not less than that required for the most sensitive data to travel across the
connection. The following steps are required to configure IKE on a Cisco Security Appliance:
Step 1 Enable IKE—This is a simple command on the PIX. You turn on IKE by
enabling it on a specific interface. The syntax for the command is isakmp enable
if_name. For example:
tgpix(config)# isakmp enable outside
Step 2 Create your IKE policies (phase 1)—To create the IKE policies, you select certain
options and configure them as policies. Again, it is extremely important that
both peers are configured in the same manner. Any undefined policies use the
current default values. You must make the following choices when creating the
policy:
• Authentication method—Preshared secret or RSA signature
• Message encryption algorithm—DES, 3DES, AES, AES-192, or AES-256
• Message integrity algorithm—SHA-1 or MD5
• Key exchange parameters—Diffie-Hellman group 1, group 2, or
group 5
• IKE established SA lifetime—The default is 86,400 seconds. Security
Appliance supports an unlimited ISAKMP SA (phase 1) lifetime by
using a value of 0. This allows for VPN connectivity with third-party
VPN products that do not support rekeying the ISAKMP SA. An
unlimited ISAKMP SA lifetime will be much less secure than a
constantly rekeyed SA and should be used only if required to support
connections to third-party gateways.