27-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 27 Configuring IPSec and ISAKMP
IPSec Overview
IPSec Overview
IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure
protocol. IPSec provides authentication and encryption services to prevent unauthorized viewing or
modification of data within your network or as it travels over an unprotected network, such as the public
Internet. Our implementation of the IPSec standard uses the ESP security protocol to provide
authentication, encryption, and anti-replay services.
The security appliance implements IPSec in two types of configurations:
• LAN-to-LAN configurations are between two IPSec security gateways, such as security appliance
units or other protocol-compliant VPN devices. A LAN-to-LAN VPN connects networks in different
geographic locations.
• Remote access configurations provide secure remote access for Cisco VPN clients, such as mobile
users. A remote access VPN lets remote users securely access centralized network resources.
The Cisco VPN client complies with the IPSec protocol and is specifically designed to work with
the security appliance. However, the security appliance can establish IPSec connections with many
protocol-compliant clients.
In IPSec LAN-to-LAN connections, the security appliance can function as initiator or responder. In
IPSec remote access connections, the security appliance functions only as responder. Initiators propose
SAs; responders accept, reject, or make counter-proposals—all in accordance with configured security
association (SA) parameters. To establish a connection, both entities must agree on the SAs.
In IPSec terminology, a peer is a remote-access client or another secure gateway.
Configuring ISAKMP
This section describes the Internet Key Exchange protocol which is also called the Internet Security
Association and Key Management Protocol. The security appliance IKE commands use ISAKMP as a
keyword, which this guide echoes. ISAKMP works with IPSec to make VPNs more scalable. This
section includes the following topics:
• ISAKMP Overview, page 27-2
• Configuring ISAKMP Policies, page 27-5
• Enabling ISAKMP on the Outside Interface, page 27-6
• Disabling ISAKMP in Aggressive Mode, page 27-6
• Determining an ID Method for ISAKMP Peers, page 27-6
• Enabling IPSec over NAT-T, page 27-7
• Enabling IPSec over TCP, page 27-8
• Waiting for Active Sessions to Terminate Before Rebooting, page 27-9
• Alerting Peers Before Disconnecting, page 27-9
ISAKMP Overview
IKE, also called ISAKMP, is the negotiation protocol that lets two hosts agree on how to build an IPSec
security association. ISAKMP separates negotiation into two phases: Phase 1 and Phase 2.
To Next Page
Loading...
Need help?
General