ISAKMP/IKE Phase 1 Preparation
ISAKMP IKE Phase 1 Preparation
The remainder of this chapter will discuss how to set up and modify L2L connections, and will examine the kinds of issues you'll deal with when using these connections. Before you begin adding an L2L session, you'll first need to create an ISAKMP/IKE Phase 1 transform set that you'll use for the L2L session. This section will discuss the ISAKMP/IKE Phase 1 transforms that you can use or create for your L2L connection.
Existing IKE Policies
Cisco already has some predefined Phase 1 transforms that you can use for your L2L sessions. If you recall from Chapter 7, "Concentrator Remote Access Connections with IPsec," to access the concentrator's existing Phase 1 transforms, you go to the Configuration > Tunneling and Security > IPsec > IKE Proposals screen.
Table 9-2 lists the L2L Phase 1 transforms that exist and are activated, by default, on the concentrators. Of course, there are other predefined transforms that are not activated by default. You can use the ones Cisco has predefined, modify these, or create your own.
|
Proposal Name |
Encryption Algorithm |
HMAC Function |
DH Key Group |
Device Authentication |
|---|---|---|---|---|
|
IKE-3DES-MD5 |
3DES |
MD5 |
2 |
Pre-shared keys |
|
IKE-3DES-MD5-DH1 |
3DES |
MD5 |
1 |
Pre-shared keys |
|
IKE-DES-MD5 |
DES |
MD5 |
1 |
Pre-shared keys |
|
IKE-3DES-MD5-RSA |
3DES |
MD5 |
2 |
RSA signatures |
|
IKE-AES128-SHA |
AES-128 |
SHA |
2 |
Pre-shared keys |
IKE Policy Screen
From the IKE policy screen, click the Add button to add a new proposal or select an existing proposal by clicking its name and click the Modify button to change it. This takes you to the IKE policies configuration screen shown in Figure 9-2.
Figure 9-2. IKE Policies Screen
I discussed the configuration of these options in chapter 7, so I'll focus only on those items important for L2L sessions. The Authentication Mode parameter specifies the type of device authentication that is to be used. The parameter values ending in "(XAUTH)" or "(HYBRID)" can be used by remote access clients. Therefore, your only options for parameter are these three:
- "Preshared Keys"
- "RSA Digital Certificate"
- "DSA Digital Certificate"
The only Cisco products that support DSA certificates are Cisco VPN 3000 concentrators and the PIX and ASA security appliances running 7.0 or higher. Pre-shared keys typically are used if the number of L2L peers is small; if the number of peers is large, certificates are the preferred device authentication method, because they scale better.
Another parameter is the Diffie-Hellman Group parameter. Most remote peers will support only DH group 1 and 2 keys, so be sure that your proposal supports one of these two. Cisco routers, PIX and ASA security appliances, and VPN 3000 concentrators also support group 5, which is the most secure of the three (group 7 is used by PDAs).
Tip
A matching ISAKMP/IKE Phase 1 transform set must be found between two L2L peers before an ISAKMP/IKE Phase 1 management connection is built. The default lifetime of the management connection on all of Cisco products is 86,400 seconds (1 day). If the remote peer follows the IPsec standard, this is the only value that doesn't have to match between the two peers when comparing management transforms; however, other vendors don't necessary follow the IPsec standards verbatim. For example, if you're building an L2L session to a CheckPoint/Nokia device, you will need to match this value between the peers; otherwise the negotiation of the transform will fail!