Cisco Systems ISA550 Manual De Usuario
Configuration Wizards
Using the Site-to-Site VPN Wizard to Configure Site-to-Site VPN
Cisco ISA500 Series Integrated Security Appliances Administration Guide
68
2
STEP 4
After you are finished, click Next.
Configuring IKE Policies
STEP 5
Use the IKE Policies page to configure the IKE policies and to specify an IKE policy
for the IPsec VPN policy. You can choose the default or a custom IKE policy.
for the IPsec VPN policy. You can choose the default or a custom IKE policy.
STEP 6
Click Add to add an IKE policy.
Other options: To edit an entry, click Edit. To delete an entry, select it and click
Delete. The default IKE policy (DefaultIke) cannot be edited or deleted.
Delete. The default IKE policy (DefaultIke) cannot be edited or deleted.
STEP 7
Enter the following information:
•
Name: Enter the name for the IKE policy.
•
Encryption: Choose the algorithm used to negotiate the security
association. There are four algorithms supported by the security appliance:
ESP_3DES, ESP_AES_128, ESP_AES_192, and ESP_AES_256.
association. There are four algorithms supported by the security appliance:
ESP_3DES, ESP_AES_128, ESP_AES_192, and ESP_AES_256.
•
HASH: Specify the authentication algorithm for the VPN header. There are
two HASH algorithms supported by the security appliance: SHA1 and MD5.
Ensure that the authentication algorithm is configured identically on both
sides.
two HASH algorithms supported by the security appliance: SHA1 and MD5.
Ensure that the authentication algorithm is configured identically on both
sides.
•
Authentication: Specify the authentication method that the security
appliance uses to establish the identity of each IPsec peer.
appliance uses to establish the identity of each IPsec peer.
-
PRE_SHARE: Use a simple, password-based key to authenticate. The
alpha-numeric key is shared with IKE peer. Pre-shared keys do not scale
well with a growing network but are easier to set up in a small network.
alpha-numeric key is shared with IKE peer. Pre-shared keys do not scale
well with a growing network but are easier to set up in a small network.
-
RSA_SIG: Use a digital certificate to authenticate. RSA_SIG is a digital
certificate with keys generated by the RSA signatures algorithm. In this
case, a certificate must be configured in order for the RSA-Signature to
work.
certificate with keys generated by the RSA signatures algorithm. In this
case, a certificate must be configured in order for the RSA-Signature to
work.
•
D-H Group: Choose the Diffie-Hellman group identifier. The identifier is used
by two IPsec peers to derive a shared secret without transmitting it to each
other. The D-H Group sets the strength of the algorithm in bits. The default is
Group 5. The lower the Diffie-Hellman group number, the less CPU time it
requires to be executed. The higher the D-H group number, the greater the
security level.
by two IPsec peers to derive a shared secret without transmitting it to each
other. The D-H Group sets the strength of the algorithm in bits. The default is
Group 5. The lower the Diffie-Hellman group number, the less CPU time it
requires to be executed. The higher the D-H group number, the greater the
security level.
-
Group 2 (1024-bit)
-
Group 5 (1536-bit)