Creating IKE Policies

The IKE policies you configure are in fact security policies that will be used to secure traffic flowing across the IKE Phase 1 tunnel. Remember, no user data traffic flows across the IKE Phase 1 tunnel. This tunnel is simply used to securely negotiate the IKE Phase 2 tunnel, which is another name for the IPSec tunnel.

The commands you use to create an IKE Phase 1 security policy follow:

 crypto isakmp policy  priority  encryption {des  3des}   hash {sha  md5}   authentication {rsa-sig  rsa-encr  pre-share}   group {1  2  5}   lifetime  seconds  

If you are using IOS Release 12.2(13)T or later, you will also see additional encryption options supported for the Advanced Encryption Standard (AES). The AES keywords are {aes aes 192 aes 256}.

The ISAKMP policy default protection suite follows : Encryption algorithm: Data Encryption Standard (DES) Hash algorithm: Secure Hash Algorithm (SHA) Authentication method: Rivest, Shamir, and Adleman (RSA) signature Diffie-Hellman (D-H) group: #1 (768 bit) Lifetime: 86,400 seconds (sec), no volume limit

You issue the crypto isakmp policy command first, which puts you into crypto ISAKMP configuration mode. Then, you can issue the remaining commands to configure the policies that match your security policy.

You can have multiple ISAKMP policies on a router. You differentiate each policy by using a priority value. Priority values can be from 1 to 10,000, with 1 being the highest-priority policy. However, you can use any priority value when configuring the policy.

The priority values are used internally by a router and have no meaning or significance to the remote IPSec peer router.

To configure an ISAKMP policy with a priority value of 100, issue the following command:

 Router(config)# crypto isakmp policy 100 

Once you use this command, you are in ISAKMP configuration mode. If you were to issue the ? to bring up context-sensitive help, the display would look like Figure 9.1.

Let's assume that your organization's security policy states that you should use the following parameters:

Figure 9.2 shows the commands to create the IKE security policy for your organization.

Know the commands to create an IKE Phase 1 policy: crypto isakmp policy priority encryption {des 3des} hash {sha md5} authentication {rsa-sig rsa-encr pre-share} group {1 2 5} lifetime seconds

A little earlier, we stated that you could configure multiple ISAKMP policies by using priority values. But you might be wondering how each IPSec peer agrees upon which ISAKMP policy to use.

Here is how it works : The initiator of the IPSec tunnel sends all its configured ISAKMP policies to the remote IPSec peer. The remote IPSec peer then tries to determine whether it has a matching ISAKMP policy to the ones that it received. The remote peer uses its own configured priority values when determining a match.

For instance, if the remote has three ISAKMP policies numbered 1, 2, and 3, the remote checks its highest policy, number 1, against all the received policies. If the remote policy of 1 matches any of the received policies, the remote sends a packet to the IPSec initiator stating what security parameters will be used for the IKE tunnel. If the remote's number 1 policy does not match, then it tries to match the number 2 policy against all the received ISAKMP policies.

If the remote device tries all its configured ISAKMP policies to the received policies and does not find a match, IKE Phase 1 fails. If IKE Phase 1 fails, all negotiations are ceased and the IPSec tunnel is never negotiated. Therefore, the IPSec tunnel will fail.

A more secure ISAKMP policy than the default protection suite uses more secure security algorithms: Encryption algorithm: 3DES Hash algorithm: SHA Authentication method: RSA signature or RSA-encrypted nonces D-H group: #2 (1024 bit) Lifetime: Less than the default of 86,400 sec