IKE negotiations must be protected, so each IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states the security parameters that will be used to protect subsequent IKE negotiations. After the two peers agree upon a policy, the security parameters of the policy are identified by an SA established at each peer, and these SAs apply to all subsequent IKE traffic during the negotiation. | CHAPTER Configuring IPSec and Certification Authorities This chapter provides information about using IP Security Protocol IPSec Internet Key Exchange IKE and certification authority CA technology with the PIX Firewall. This chapter includes the following sections How IPSec Works Internet Key Exchange IKE Using Certification Authorities Configuring IPSec Manual Configuration of SAs Viewing IPSec Configuration Clearing SAs How IPSec Works IPSec provides authentication and encryption services to protect unauthorized viewing or modification of data within your network or as it is transferred over an unprotected network such as the public Internet. IPSec is generally implemented in two types of configurations Site-to-site This configuration is used between two IPSec security gateways such as PIX Firewall units. A site-to-site VPN interconnects networks in different geographic locations. For information that is specific for configuring IPSec in this configuration refer to Chapter 7 Site-to-Site VPN Configuration Examples. Remote access This configuration is used to allow secure remote access for VPN clients such as mobile users. A remote access VPN allows remote users to securely access centralized network resources. For information that is specific for configuring IPSec in this configuration refer to Chapter 8 Configuring VPN Client Remote Access. Two different security protocols are included within the IPSec standard Encapsulating Security Protocol ESP Provides authentication encryption and anti-replay services. Authentication Header AH Provides authentication and anti-replay services. Cisco PIX Firewall and VPN Configuration Guide I 78-13943-01 6-1 Chapter 6 Configuring IPSec and Certification Authorities Internet Key Exchange IKE IPSec can be configured to work in two different modes Tunnel Mode This is the normal way in which IPSec is implemented between two PIX Firewall units or other security gateways that are connected over an untrusted network such as the .
