Cisco VPN 3000 Instrukcja Użytkownika Pobierz pdf (Strona 10)

Cisco VPN 3000 Series Concentrators Interoperability Profile

Configuring an IKE Proposal

An IKE proposal contains values for Phase 1 IPSec negotiations. During Phase 1 the two peers establish

a secure tunnel within which they then negotiate the Phase 2 parameters. The VPN Concentrator uses

IKE proposals both as initiator and responder in IPSec negotiations. In LAN-to-LAN connections, the

VPN Concentrator can function as initiator or responder.

You must configure, activate, and prioritize an IKE proposal before you can configure an IPSec

LAN-to-LAN connection or an IPSec Security Association. While Cisco does supply default IKE

proposals, none matches the VPN Consortium requirements.

Table 1 identifies the Cisco IKE parameters you configure to create an IKE proposal to meet the VPN

Consortium requirements.

Table 1 Cisco IKE Parameters

Cisco IKE Parameter Definition VPN Consortium Value Required

Proposal Name A unique name for the IKE proposal.

In this example, the name is

VPNC IKE A to B.

N/A

Authentication Mode Method of authenticating the remote

peer; either preshared secret or

certificates.

Preshared Secret

Authentication Algorithm Specifies the data, or packet,

authentication method that proves that

data comes from the source you think it

comes from.

SHA-1

Encryption Algorithm The data, or packet, encryption

algorithm.

Triple DES

Diffie-Hellman Group The method used to generate IPSec SA

keys.

MODP group 2 (1024 bits)

Lifetime Measurement Method for measuring the lifetime of

IPSec SA keys, either by time (in

seconds) or by data (number of

kilobytes) that travel across the tunnel.

Time

Time Lifetime The number of seconds after which an

IKE SA expires.

2800 seconds (8 hours)

1 2 ... 5 6 7 8 9 10 11 12 13 14 15 ... 24 25

Brak uwag

Cisco VPN 3000 Instrukcja Użytkownika Strona 10