The IKE policies you configure are in fact security policies that will be used to secure traffic flowing across the IKE Phase 1 tunnel. Remember, no user data traffic flows across the IKE Phase 1 tunnel. This tunnel is simply used to securely negotiate the IKE Phase 2 tunnel, which is another name for the IPSec tunnel. The commands you use to create an IKE Phase 1 security policy follow: crypto isakmp policy priority encryption {des 3des} hash {sha md5} authentication {rsa-sig rsa-encr pre-share} group {1 2 5} lifetime seconds If you are using IOS Release 12.2(13)T or later, you will also see additional encryption options supported for the Advanced Encryption Standard (AES). The AES keywords are {aes aes 192 aes 256}.
You issue the crypto isakmp policy command first, which puts you into crypto ISAKMP configuration mode. Then, you can issue the remaining commands to configure the policies that match your security policy. You can have multiple ISAKMP policies on a router. You differentiate each policy by using a priority value. Priority values can be from 1 to 10,000, with 1 being the highest-priority policy. However, you can use any priority value when configuring the policy.
To configure an ISAKMP policy with a priority value of 100, issue the following command: Router(config)# crypto isakmp policy 100 Once you use this command, you are in ISAKMP configuration mode. If you were to issue the ? to bring up context-sensitive help, the display would look like Figure 9.1. Figure 9.1. IKE Phase 1 security policy options.
Let's assume that your organization's security policy states that you should use the following parameters:
Figure 9.2 shows the commands to create the IKE security policy for your organization. Figure 9.2. IKE Phase 1 security policy configuration.
A little earlier, we stated that you could configure multiple ISAKMP policies by using priority values. But you might be wondering how each IPSec peer agrees upon which ISAKMP policy to use. Here is how it works : The initiator of the IPSec tunnel sends all its configured ISAKMP policies to the remote IPSec peer. The remote IPSec peer then tries to determine whether it has a matching ISAKMP policy to the ones that it received. The remote peer uses its own configured priority values when determining a match. For instance, if the remote has three ISAKMP policies numbered 1, 2, and 3, the remote checks its highest policy, number 1, against all the received policies. If the remote policy of 1 matches any of the received policies, the remote sends a packet to the IPSec initiator stating what security parameters will be used for the IKE tunnel. If the remote's number 1 policy does not match, then it tries to match the number 2 policy against all the received ISAKMP policies. If the remote device tries all its configured ISAKMP policies to the received policies and does not find a match, IKE Phase 1 fails. If IKE Phase 1 fails, all negotiations are ceased and the IPSec tunnel is never negotiated. Therefore, the IPSec tunnel will fail.
|