Develop the Parameter Preferences

Develop the Parameter Preferences

To complete the IKE planning process, what would make sense is to create a table of the preferred combination of security features, plus one or more fallback options for those devices or locations that can’t support the preferred package. The resulting table might look like the following:

In comparing the two tables, you should see that RSA-SIG would be a preferred authentication method over preshared keys. This chapter deals with using preshared keys, while Chapter 12 covers Certificate Authority (RSA-SIG). RSA encrypted nonces are addressed in the last section of this chapter.

Using our scenario for this chapter, the Preferred column represents our configuration preferences for all North American branches and would be the only options configured. The 2nd Choice column would be for those overseas branches that can support the Preferred configuration, except for the export restriction on triple DES. Assuming they don’t form VPN sessions with anyone else, this would be the only choice configured on those devices. The 3rd Choice column might represent extremely small branches or telecommuters using small personal routers with limited resources and options. This also represents the lowest level of parameter options the main office will accept for a VPN connection. The only device that will have all three choices configured is the main office router.

Because any parameter that isn’t defined will use the existing default value, the actual table could look like the following example. Either table can be used in Task 2 to configure the IKE parameters.