The Internet Key Exchange (IKE) protocol is a negotiation protocol that includes an encryption method to protect data and ensure privacy. It is also an authentication method to verify the identity of devices that are trying to connect to your network.
You can create IKE policies to define the security parameters (such as authentication of the peer, encryption algorithms, and so forth) to be used for a VPN tunnel.
Note Up to 16 IKE policies can be configured on the security appliance.
1. Click VPN > Site-to-Site > IKE Policies.
The IKE Policies window opens. The default and custom IKE policies are listed in the table.
2. To add a new IKE policy, click Add.
Other options: To edit an entry, click the Edit (pencil) icon. To delete an entry, click the Delete (x) icon. To delete multiple entries, check them and click Delete. The default IKE policy (DefaultIke) cannot be edited or deleted.
The IKE Policy - Add/Edit window opens.
3. Enter the following information:
• Name: Enter the name for the IKE policy.
• Encryption: Choose the algorithm used to negotiate the security association. There are four algorithms supported by the security appliance: ESP_3DES, ESP_AES_128, ESP_AES_192, and ESP_AES_256.
• Hash: Specify the authentication algorithm for the VPN header. There are two hash algorithms supported by the security appliance: SHA1 and MD5.
NOTE: Ensure that the authentication algorithm is configured identically on both sides.
• Authentication: Specify the authentication method that the security appliance uses to establish the identity of each IPsec peer.
– Pre-shared Key: Uses a simple, password-based key to authenticate. The alpha-numeric key is shared with the IKE peer. Pre-shared keys do not scale well with a growing network but are easier to set up in a small network.
– RSA_SIG: Uses a digital certificate to authenticate. RSA_SIG is a digital certificate with keys generated by the RSA signatures algorithm. In this case, a certificate must be configured in order for the RSA-Signature to work.
• D-H Group: Choose the Diffie-Hellman group identifier, which the two IPsec peers use to derive a shared secret without transmitting it to each other. The D-H Group sets the strength of the algorithm in bits. The lower the Diffie-Hellman group number, the less CPU time it requires to be executed. The higher the Diffie-Hellman group number, the greater the security.
• Lifetime: Enter the number of seconds for the IKE Security Association (SA) to remain valid. As a general rule, a shorter lifetime provides more secure ISAKMP (Internet Security Association and Key Management Protocol) negotiations (up to a point). However, with shorter lifetimes, the security appliance sets up future IPsec SAs more quickly. The default value is 24 hours.
4. Click OK to save your settings.