IKE Policies Help

Overview

The IKE (Internet Key Exchange) protocol perform negotiations between the 2 VPN Gateways, and provides automatic management of the Keys used in IPSec.

• "Auto" VPN policies MUST use IKE.
• "Manual" VPN policies can NOT use IKE.

IKE Operation

1. The VPN Policy Selector determines that some traffic matches an existing VPN Policy.
2. If the VPN policy is of type "Auto", then the IKE Policy table is accessed.
3. The first matching IKE Policy is used to start negotiations with the remote VPN Gateway.
   • If negotiations fail, the next matching IKE Policy is used.
   • If none of the matching IKE Policies are acceptable to the remote VPN Gateway, then a VPN tunnel cannot be established.
4. An IKE session is established, using the SA (Security Association) parameters specified in the IKE Policy.
5. Keys and other parameters are exchanged.
6. An IPsec SA (Security Association) is established, using the parameters in the VPN Policy.
7. The VPN tunnel is then available for data transfer.

Policy Table

The Policy Table contains the following data

• Name - Used to uniquely identify each IKE policy. This name is used to identify each policy; it is not supplied to the remote VPN Server.
• Mode - The Mode can be "Main" or "Aggressive".
  • Main Mode is slower but more secure. Also, the "ID" (see next item) must be by IP address.
  • Aggressive mode is faster but less secure. The "ID" can be by name (hostname, domain name, e-mail address, ..) instead of by IP address.
• Local ID - The IKE/ISAKMP identify of this device. (The remote VPN must have this value as their "Remote ID".)
• Remote ID - The IKE/ISAKMP identify of the remote VPN Gateway. (The remote VPN must have this value as their "Local ID".)
• Encr - Encryption Algorithm used for the IKE SA. (This setting must match the Remote VPN.)
• Auth - Authentication Algorithm used for the IKE SA. (This setting must match the Remote VPN.)
• DH - Diffie-Hellman Group. The Diffie-Hellman algorithm is used when exchanging keys. The DH Group sets the number of bits. (This setting must match the Remote VPN.)