Cisco SA520-K9 Administration Guide - Page 145

Configuring VPN Advanced Configuration of IPsec VPN 7 STEP 1 Click VPN > IPsec > IKE Policies. The existing entries appear in the List of IKE Policies table. The IKE Policies window opens. Any existing policies are listed in the List of IKE Policies table. STEP 2 Click Edit to edit an entry. Other options: Click Add to add an entry. To delete an entry, check the box, and then click Delete. To select all entries, check the box in the first column of the table heading. After you click Add or Edit, the IKE Policy Configuration window opens. STEP 3 In the General area, enter the following information: • Policy Name: Enter a unique name for identification and management purposes. • Direction/Type: Choose one of the following options: - Initiator: The security appliance initiates the connection to the remote end. - Responder: The security appliance waits passively and responds to remote IKE requests. - Both: The security appliance works in either Initiator or Responder mode. • Exchange Mode: Choose one of the following options: - Main Mode: Choose this option if you want higher security, but with a slower connection. Main Mode relies upon two-way key exchanges between the initiator and the receiver. The key-exchange process slows down the connection but increases security. - Aggressive Mode: Choose this option if you want a faster connection, but with lowered security. In Aggressive Mode there are fewer key exchanges between the initiator and the receiver. Both sides exchange information even before there is a secure channel. This feature creates a faster connection but with less security than Main Mode. NOTE If you choose Main Mode, then you must use an IP address as the identifier type for both the Local device and the Remote device, below. If FQDN, User FQDN or DER ASN1 DN is selected as the identifier type, then Main Mode is disabled and Aggressive Mode is applied. Cisco SA500 Series Security Appliances Administration Guide 145