Configure IKE Phase 1 Policy

Use the following procedure to create and configure an IKE Phase 1 policy.

Procedure

  1. In the navigation pane, expand Configuration > Security > Control Path.
  2. Select IKE.
  3. Select the Policy tab.
  4. Select Insert.
  5. In the LocalIfIndex field, select either Port or Vlan, and then select an interface.
  6. In the LocalAddrType field, select the type of the local address.
  7. In the LocalAddr field, type the address of the local peer.
  8. In the RemoteAddrType field, select the type of the remote address.
  9. In the RemoteAddr field, type the address of the remote peer.
  10. In the Name field, type the name for the policy.

    Name must be assigned when creating the policy. When the policy is created, the name cannot be changed.

  11. Complete the remaining optional configuration to customize the policy.
  12. Select Insert.

Policy Field Descriptions

Use the data in the following table to use the Policy tab.

Name

Description

LocalIfIndex

Specifies the Interface Index of the local address. Only port and vlan interfaces are supported.

LocalAddrType

Specifies whether the local address is an IPv4 or IPv6 address.

LocalAddr

Specifies the address of the local peer.

RemoteAddrType

Specifies whether the remote address is an IPv4 or IPv6 address.

RemoteAddr

Specifies the address of the remote peer.

Name

Specifies the name given to the policy. The name should be assigned while creating the policy. You cannot change the name after the policy is created.

ProfileName

Specifies the name of the profile that should be used for this policy.

ProfileVersion

Specifies the profile version used for the policy.

PeerName

Specifies the peer name.

AuthenticationMethod

Specifies the proposed authentication method for the Phase 1 security association.

The default authentication method is pre-shared key.

PSKValue

Specifies the value of the Pre-Shared Key if the authentication method is set to PSK.

DPDTimeout

Specifies the Dead Peer Detection timeout in seconds.

Default value is 300 seconds.

P2PFS

Specifies whether or not the perfect forward secrecy (PFS) is used when refreshing keys. To use PFS, select enable.

The default value is disable.

P2PfsUseIkeGroup

Specifies whether or not to use the same GroupId (Diffie-Hellman Group) for phase 2 as was used in phase 1. Ignore this entry if P2PFS is disabled.

The default value is enable.

P2PfsDHGroup

Specifies the Diffie-Hellman group to use for phase 2 when P2PFS is enabled and P2PfsUseIkeGroup is disabled.

The default value is mod1024.

AdminState

Specifies whether the policy is administratively enabled or disabled.

The default value is disable.

OperStatus

Shows is the policy is operationally up or down.

RevocationCheckMethod

Specifies the revocation check method as OCSP, CRL or none.
9037803-01 Rev AA