Cisco Secure Virtual Private Networks








8.2
Task
1Preparing for IPSec



8.2.2
Step
1determine IKE (IKE phase one) policy





Configuring IKE is complicated. You
should determine the IKE policy details to enable the selected
authentication method, then configure it. Having a detailed plan
lessens the chances of improper configuration. Some planning steps
include the following:

Determine the key distribution methodDetermine the key distribution method based on the numbers and
locations of IPSec peers. For small networks, you may wish to
manually distribute keys. For larger networks, you may wish to
use a CA server to support scalability of IPSec peers. You must
then configure Internet Security Association Key Management
Protocol (ISAKMP) to support the selected key distribution
method.
Determine the authentication methodChoose the authentication method based on the key distribution
method. PIX Firewall software supports either pre-shared keys or
RSA signatures to authenticate IPSec peers. This chapter focuses
on using pre-shared keys.
Identify IPSec peer's IP addresses and host
namesDetermine the details of all the IPSec peers that
will use ISAKMP and pre-shared keys for establishing security
associations (SAs). You will use this information to configure
IKE.
Determine ISAKMP policies for peersAn
ISAKMP policy defines a combination or "suite" of
security parameters used during the ISAKMP negotiation. Each
ISAKMP negotiation begins by each peer agreeing on a common
(shared) ISAKMP policy. The ISAKMP policy suites must be
determined in advance of configuration. You must then configure
IKE to support the policy details you determined. Some ISAKMP
policy details include the following:

Encryption algorithm
Hash algorithm
IKE SA lifetime