Internet Key Exchange

The help topics in this section describe the Internet Key Exchange (IKE) configuration screens.

Internet Key Exchange (IKE)

Internet Key Exchange (IKE) is a standard method for arranging for secure, authenticated communications. IKE establishes session keys (and associated cryptographic and networking configuration) between two hosts across the network.

SDM lets you create IKE policies that will protect the identities of peers during authentication. SDM also lets you create pre-shared keys that peers exchange.

What Do You Want to Do?


If you want to:	Do this:
Learn more about IKE.	Click More About IKE.
Enable IKE. You must enable IKE for VPN connections to use IKE negotiations.	Click Global Settings, and then click Edit to enable IKE and make other global settings for IKE.
Create an IKE policy. SDM provides a default IKE policy, but there is no guarantee that the peer has the same policy. You should configure other IKE policies so that the router is able to offer an IKE policy that the peer can accept.	Click the IKE Policy node on the VPN tree.
Create a pre-shared key. If IKE is used, the peers at each end must exchange a pre-shared key to authenticate each other.	Click the Pre-Shared Key node on the VPN tree.

IKE Policies

IKE negotiations must be protected; therefore, each IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states which security parameters will be used to protect subsequent IKE negotiations. This window shows the IKE policies configured on the router, and allows you to add, edit, or remove an IKE policy from the router's configuration. If no IKE policies have been configured on the router, this window shows the default IKE policy.

After the two peers agree on a policy, the security parameters of the policy are identified by a security association established at each peer. These security associations apply to all subsequent IKE traffic during the negotiation.

Priority

An integer value that specifies the priority of this policy relative to the other configured IKE policies. Assign the lowest numbers to the IKE policies that you prefer that the router use. The router will offer those policies first during negotiations.

Encryption

Hash

Authentication

Type

What Do You Want to Do?


If you want to:	Do this:
Learn more about IKE policies.	See More About IKE Policies.
Add an IKE policy to the router's configuration. SDM provides a default IKE policy, but there is no guarantee that the peer has the same policy. You should configure other IKE policies so that the router is able to offer an IKE policy that the peer can accept.	Click Add, and configure a new IKE policy in the Add IKE policy window.
Edit an existing IKE policy.	Choose the IKE policy that you want to edit, and click Edit. Then edit the IKE policy in the Edit IKE policy window. Default IKE policies are read only. They cannot be edited.
Remove an IKE policy from the router's configuration.	Choose the IKE policy that you want to remove, and click Remove.

Add or Edit IKE Policy

Note

•

Not all routers support all encryption types. Unsupported types will not appear in the screen.

•

Not all IOS images support all the encryption types that SDM supports. Types unsupported by the IOS image will not appear in the screen.

•

If hardware encryption is turned on, only those encryption types supported by both hardware encryption and the IOS image will appear in the screen.

Priority

Encryption

The type of encryption that should be used to communicate this IKE policy. SDM supports a variety of encryption types, listed in order of security. The more secure an encryption type, the more processing time it requires.

Note If your router does not support an encryption type, the type will not appear in the list.

•

Data Encryption Standard (DES)—This form of encryption supports 56-bit encryption.

•

Triple Data Encryption Standard (3DES)—This is a stronger form of encryption than DES, supporting 168-bit encryption.

•

AES-128—Advanced Encryption Standard (AES) encryption with a 128-bit key. AES provides greater security than DES and is computationally more efficient than triple DES.

Hash

The authentication algorithm to be used for the negotiation. There are two options:

Authentication

D-H Group

Diffie-Hellman (D-H) Group. Diffie-Hellman is a public-key cryptography protocol that allows two routers to establish a shared secret over an unsecure communications channel. The options are as follows:

•

group2—1024-bit D-H Group. D-H Group 2. This group provides more security than group 1, but requires more processing time.

•

group5—1536-bit D-H Group. D-H Group 5. This group provides more security than group 2, but requires more processing time.

Note

•

If your router does not support group5, it will not appear in the list.

Lifetime

This is the lifetime of the security association, in hours, minutes and seconds. The default is one day, or 24:00:00.

IKE Pre-shared Keys

This window allows you to view, add, edit, and remove IKE pre-shared keys in the router's configuration. A pre-shared key is exchanged with a remote peer during IKE negotiation. Both peers must be configured with the same key.

Icon


	If a pre-shared key is read-only, the read-only icon appears in this column. A pre-shared key will be marked as read-only if it is configured with the no-xauth CLI option

Peer IP/Name

An IP address or name of a peer with whom this key is shared. If an IP address is supplied, it can specify all peers in a network or subnetwork, or just an individual host. If a name is specified, then the key is shared by only the named peer.

Network Mask

The network mask specifies how much of the peer IP address is used for the network address and how much is used for the host address. A network mask of 255.255.255.255 indicates that the peer IP address is an address for a specific host. A network mask containing zeros in the least significant bytes indicates that the peer IP address is a network or subnet address. For example a network mask of 255.255.248.0 indicates that the first 22 bits of the address are used for the network address and that the last 10 bits are for the host part of the address.

Pre-Shared Key

The pre-shared key is not readable in SDM windows. If you need to examine the pre shared key, go to View->Running Config. This will display the running configuration. The key is contained in the crypto isakmp key command.


If you want to:	Do this:
Add a pre-shared key to the router's configuration.	Click Add, and add the pre-shared key in the Adda new Pre Shared Key window.
Edit an existing pre-shared key.	Select the pre-shared key, and click Edit. Then edit the key in the Edit Pre Shared Key window.
Remove an existing pre-shared key.	Select the pre-shared key, and click Remove.

Add or Edit Pre Shared Key

Key

This is an alphanumeric string that will be exchanged with the remote peer. The same key must be configured on the remote peer. You should make this key difficult to guess. Question marks (?) and spaces must not be used in the pre-shared key.

Reenter Key

Peer

Select Hostname if you want the key to apply to a specific host. Select IP Address if you want to specify a network or subnetwork, or if you want to enter the IP address of a specific host because there is no DNS server to translate host names to IP addresses

Hostname

This field appears if you selected "Hostname" in the Peer field. Enter the peer's host name. There must be a DNS server on the network capable of resolving the host name to an IP address.

IP Address/Subnet Mask

These fields appear if you selected "IP Address" in the Peer field. Enter the IP address of a network or subnet in the IP Address field. The pre-shared key will apply to all peers in that network or subnet. For more information, refer to IP Addresses and Subnet Masks.

Enter a subnet mask if the IP address you entered is a subnet address, and not the address of a specific host.

User Authentication [Xauth]

Check this box if site-to-site VPN peers use XAuth to authenticate themselves. If Xauth authenticationn is enabled in VPN Global Settings, it is enabled for site-to-site peers as well as for Easy VPN connections.

Table Of Contents