Configuration > Site-to-Site VPN > Advanced > IKE Policies
Use this pane to Add, Edit, or Delete IKEv1 and IKEv2 Policies.
To set the terms of the IKE negotiations, you create one or more IKE policies, which include the following:
A unique priority (1 through 65,543, with 1 the highest priority).
An authentication method, to ensure the identity of the peers.
An encryption method, to protect the data and ensure privacy.
An HMAC method to ensure the identity of the sender, and to ensure that the message has not been modified in transit.
A Diffie-Hellman group to establish the strength of the of the encryption-key-determination algorithm. The ASA uses this algorithm to derive the encryption and hash keys.
A limit for how long the ASA uses an encryption key before replacing it.
Each IKE negotiation is divided into two sections called Phase1 and Phase 2. Phase 1 creates the first tunnel, which protects later IKE negotiation messages. Phase 2 creates the tunnel that protects data.
For IKEv1, you can only enable one setting for each parameter. For IKEv2, each proposal can have multiples settings for Encryption, D-H Group, Integrity Hash, and PRF Hash.
If you do not configure any IKE policies, the ASA uses the default policy, which is always set to the lowest priority, and which contains the default value for each parameter. If you do not specify a value for a specific parameter, the default value takes effect.
When IKE negotiation begins, the peer that initiates the negotiation sends all of its policies to the remote peer, and the remote peer searches for a match with its own policies, in priority order.
A match between IKE policies exists if they have the same encryption, hash, authentication, and Diffie-Hellman values, and an SA lifetime less than or equal to the lifetime in the policy sent. If the lifetimes are not identical, the shorter lifetime—from the remote peer policy—applies. If no match exists, IKE refuses negotiation and the IKE SA is not established.