5. Use the IKE Policies page to configure the IKE policies and to specify an IKE policy for the IPsec VPN policy. You can choose the default or a custom IKE policy.
6. Click Add to add an IKE policy.
Other options: To edit an entry, click Edit. To delete an entry, select it and click Delete. The default IKE policy (DefaultIke) cannot be edited or deleted.
7. Enter the following information:
• Name: Enter the name for the IKE policy.
• Encryption: Choose the algorithm used to negotiate the security association. There are four algorithms supported by the security appliance: ESP_3DES, ESP_AES_128, ESP_AES_192, and ESP_AES_256.
• HASH: Specify the authentication algorithm for the VPN header. There are two HASH algorithms supported by the security appliance: SHA1 and MD5. Ensure that the authentication algorithm is configured identically on both sides.
• Authentication: Specify the authentication method that the security appliance uses to establish the identity of each IPsec peer.
– PRE_SHARE: Use a simple, password-based key to authenticate. The alpha-numeric key is shared with IKE peer. Pre-shared keys do not scale well with a growing network but are easier to set up in a small network.
– RSA_SIG: Use a digital certificate to authenticate. RSA_SIG is a digital certificate with keys generated by the RSA signatures algorithm. In this case, a certificate must be configured in order for the RSA-Signature to work.
• D-H Group: Choose the Diffie-Hellman group identifier. The identifier is used by two IPsec peers to derive a shared secret without transmitting it to each other. The D-H Group sets the strength of the algorithm in bits. The default is Group 5. The lower the Diffie-Hellman group number, the less CPU time it requires to be executed. The higher the D-H group number, the greater the security level.
• Lifetime: Enter the number of seconds for the IKE Security Association (SA) to remain valid. As a general rule, a shorter lifetime provides more secure ISAKMP negotiations. However, with shorter lifetimes, the security appliance sets up future IKE SAs more quickly.