Configuring Security Appliances for Scalable VPNs
Earlier in this chapter, you learned about the different methods of negotiating an IPSec
connection:
■ Manual IPSec, which requires you to configure each peer manually. This method is not
recommended by Cisco because it does not allow for key exchanges and, therefore,
would be rather easy to decrypt, given enough time and traffic. Obviously, manual IPSec
is not a scalable solution.
■ IKE, which dynamically negotiates your SA using preshared keys or digital certificates.
Preshared keys still require you to enter a preshared key manually into each IPSec peer.
■ IKE with digital certificates, which is the most dynamic solution that lets IKE negotiate
your IPSec SA and a CA server authenticating each peer. This system is completely
dynamic, very secure, and very scalable.