Key management (IKE) 372
SmartWare Software Configuration Guide 32 • VPN configuration
Creating an ISAKMP IPSEC policy profile
To define all the settings and profiles needed to establish an IPSEC security association, you need to create an
ISAKMP IPSEC policy profile There you can specify the ISAKMP and IPSEC transforms you created above,
which should be used and other necessary parameters. You can later specify using an ACL, what traffic should
be treated by a specify ISAKMP IPSEC policy.
The following commands can be used to create and configure an ISAKMP IPSEC policy profile:
Mode: configure
Step Command Purpose
1 node(cfg)# profile ipsec-policy-
isakmp <name>
Create the policy profile with the specified name
and enter its configuration mode.
2 node(pf- ipsik)[<name>]# authentica-
tion-method pre-shared-key <key>
Define the pre-shared key, which sould be used
to authenticate the peers. The key can be a char-
acter string of any length.
3 node(pf- ipsik)[<name>]# diffie-hell-
man-group {group1|group2|group5}
Define the diffie-hellman group to be used.
Note: The higher the group number is, the
higher is the key length during the diffie-hellman
exchange and the higher is the processing time
for the establishment of the shared secret. Espe-
cially Group 5 requires a considerable amount
of time for processing. You should not use this
group in time critical applications unless you
know that the tunnel will always be established.)
4 node(pf- ipsik)[<name>]# use profile
isakmp-transform <name>
Define one or more ISAKMP transform profiles to
be used by this policy. If more than one is
defined, IKE will negotiate a transform set, which
is supported by both peers.
5 node(pf- ipsik)[<name>]# use profile
ipsec-transform <name>
Define one or more IPSEC transform profiles to
be used by this policy. If more than one is
defined, IKE will negotiate a transform set, which
is supported by both peers.
6 node(pf- ipsik)[<name>]# mode
transport|tunnel
Define the IPSEC encapsulation mode to be used
by this policy.
7
(optional)
node(pf- ipsik)[<name>]# peer <ip or
FQDN>
Optionally define the peer, for which this policy
should be used. Do not specify a peer, if this pol-
icy shall be used for multiple peers in transport
mode. The peer can either be an IP address or a
fully qualified domain name.