Support User Manuals

Patton electronic SmartNode 4110 Series IP Phone User Manual

Open as PDF

of 664

Key management (IKE) 372

SmartWare Software Configuration Guide 32 • VPN configuration

Creating an ISAKMP IPSEC policy proﬁle

To deﬁne all the settings and proﬁles needed to establish an IPSEC security association, you need to create an

ISAKMP IPSEC policy proﬁle There you can specify the ISAKMP and IPSEC transforms you created above,

which should be used and other necessary parameters. You can later specify using an ACL, what trafﬁc should

be treated by a specify ISAKMP IPSEC policy.

The following commands can be used to create and conﬁgure an ISAKMP IPSEC policy proﬁle:

Mode: conﬁgure

Step Command Purpose

1 node(cfg)# profile ipsec-policy-

isakmp <name>

Create the policy profile with the specified name

and enter its configuration mode.

2 node(pf- ipsik)[<name>]# authentica-

tion-method pre-shared-key <key>

Define the pre-shared key, which sould be used

to authenticate the peers. The key can be a char-

acter string of any length.

3 node(pf- ipsik)[<name>]# diffie-hell-

man-group {group1|group2|group5}

Define the diffie-hellman group to be used.

Note: The higher the group number is, the

higher is the key length during the diffie-hellman

exchange and the higher is the processing time

for the establishment of the shared secret. Espe-

cially Group 5 requires a considerable amount

of time for processing. You should not use this

group in time critical applications unless you

know that the tunnel will always be established.)

4 node(pf- ipsik)[<name>]# use profile

isakmp-transform <name>

Define one or more ISAKMP transform profiles to

be used by this policy. If more than one is

defined, IKE will negotiate a transform set, which

is supported by both peers.

5 node(pf- ipsik)[<name>]# use profile

ipsec-transform <name>

Define one or more IPSEC transform profiles to

be used by this policy. If more than one is

defined, IKE will negotiate a transform set, which

is supported by both peers.

6 node(pf- ipsik)[<name>]# mode

transport|tunnel

Define the IPSEC encapsulation mode to be used

by this policy.

7

(optional)

node(pf- ipsik)[<name>]# peer <ip or

FQDN>

Optionally define the peer, for which this policy

should be used. Do not specify a peer, if this pol-

icy shall be used for multiple peers in transport

mode. The peer can either be an IP address or a

fully qualified domain name.

previous next