Because IKE negotiations must be protected, each IKE negotiation begins by agreement of both peers on a common (shared) IKE
policy. This policy states which security parameters will be used to protect subsequent IKE negotiations and mandates how
the peers are authenticated.
After the two peers agree upon a policy, the security parameters of the policy are identified by an SA established at each
peer, and these SAs apply to all subsequent IKE traffic during the negotiation.
You can configure multiple, prioritized policies on each peer--each with a different combination of parameter values. However,
at least one of these policies must contain exactly the same encryption, hash, authentication, and Diffie-Hellman parameter
values as one of the policies on the remote peer. For each policy that you create, you assign a unique priority (1 through
10,000, with 1 being the highest priority).
If you are interoperating with a device that supports only one of the values for a parameter, your choice is limited to the
value supported by the other device. Aside from this limitation, there is often a trade-off between security and performance,
and many of these parameter values represent such a trade-off. You should evaluate the level of security risks for your network
and your tolerance for these risks.
When the IKE negotiation begins, IKE searches for an IKE policy that is the same on both peers. The peer that initiates the
negotiation will send all its policies to the remote peer, and the remote peer will try to find a match. The remote peer looks
for a match by comparing its own highest priority policy against the policies received from the other peer. The remote peer
checks each of its policies in order of its priority (highest priority first) until a match is found.
A match is made when both policies from the two peers contain the same encryption, hash, authentication, and Diffie-Hellman
parameter values, and when the remote peer’s policy specifies a lifetime that is less than or equal to the lifetime in the
policy being compared. (If the lifetimes are not identical, the shorter lifetime--from the remote peer’s policy--will be used.)
If a match is found, IKE will complete negotiation, and IPsec security associations will be created. If no acceptable match
is found, IKE refuses negotiation and IPsec will not be established.
Depending on which authentication method is specified in a policy, additional configuration might be required. If a peer’s
policy does not have the required companion configuration, the peer will not submit the policy when attempting to find a matching
policy with the remote peer.
You should set the ISAKMP identity for each peer that uses preshared keys in an IKE policy.
When two peers use IKE to establish IPsec SAs, each peer sends its identity to the remote peer. Each peer sends either its
hostname or its IPv6 address, depending on how you have set the ISAKMP identity of the router.
By default, a peer’s ISAKMP identity is the IPv6 address of the peer. If appropriate, you could change the identity to be
the peer’s hostname instead. As a general rule, set the identities of all peers the same way--either all peers should use
their IPv6 addresses or all peers should use their hostnames. If some peers use their hostnames and some peers use their IPv6
addresses to identify themselves to each other, IKE negotiations could fail if the identity of a remote peer is not recognized
and a DNS lookup is unable to resolve the identity.
Perform this task to create an IKE policy and a preshared key in IPv6.