Configure IKEv2 Policy Objects
Use the IKEv2 policy dialog box to create, delete, and edit an IKEv2 policy object. These policy objects contain the parameters required for IKEv2 policies.
Procedure
Step 1 | Choose and then from the table of contents.Previously configured policies are listed including system defined defaults. Depending on your level of access, you may Edit (), View (), or Delete () a policy. |
Step 2 | Choose Add ()Add IKEv2 Policy to create a new policy. |
Step 3 | Enter a Name for this policy. The name of the policy object. A maximum of 128 characters is allowed. |
Step 4 | Enter a Description for this policy. A description of the policy object. A maximum of 1024 characters is allowed. |
Step 5 | Enter the Priority. The priority value of the IKE proposal. The priority value determines the order of the IKE proposals compared by the two negotiating peers when attempting to find a common security association (SA). If the remote IPsec peer does not support the parameters selected in your first priority policy, it tries to use the parameters defined in the next lowest priority policy. Valid values range from 1 to 65535. The lower the number, the higher the priority. If you leave this field blank, Management Center assigns the lowest unassigned value starting with 1, then 5, then continuing in increments of 5. |
Step 6 | Set the Lifetime of the security association (SA), in seconds. You can specify a value from 120 to 2,147,483,647 seconds. The default is 86400. When the lifetime is exceeded, the SA expires and must be renegotiated between the two peers. Generally, the shorter the lifetime (up to a point), the more secure your IKE negotiations. However, with longer lifetimes, future IPsec security associations can be set up more quickly than with shorter lifetimes. |
Step 7 | Choose the Integrity Algorithms portion of the Hash Algorithm used in the IKE policy. The Hash Algorithm creates a Message Digest, which is used to ensure message integrity. When deciding which encryption and Hash Algorithms to use for the IKEv2 proposal, your choice is limited to algorithms supported by the managed devices. For an extranet device in the VPN topology, you must choose the algorithm that matches both peers. Select all the algorithms that you want to allow in the VPN.For a full explanation of the options, see Deciding Which Hash Algorithms to Use. |
Step 8 | Choose the Encryption Algorithm used to establish the Phase 1 SA for protecting Phase 2 negotiations. When deciding which encryption and Hash Algorithms to use for the IKEv2 proposal, your choice is limited to algorithms supported by the managed devices. For an extranet device in the VPN topology, you must choose the algorithm that matches both peers. Select all the algorithms that you want to allow in the VPN. For a full explanation of the options, see Deciding Which Encryption Algorithm to Use. |
Step 9 | Choose the PRF Algorithm. The pseudorandom function (PRF) portion of the Hash Algorithm used in the IKE policy. In IKEv1, the Integrity and PRF algorithms are not separated, but in IKEv2, you can specify different algorithms for these elements. Select all of the algorithms that you want to allow in the VPN. For a full explanation of the options, see Deciding Which Hash Algorithms to Use. |
Step 10 | Select and Add a DH Group. The Diffie-Hellman group used for encryption. A larger modulus provides higher security but requires more processing time. The two peers must have a matching modulus group. Select the groups that you want to allow in the VPN. For a full explanation of the options, see Deciding Which Diffie-Hellman Modulus Group to Use. |
Step 11 | Click Save If a valid combination of choices has been selected the new IKEv2 policy is added to the list. If not, errors are displayed and you must make changes accordingly to successfully save this policy. |