Configuring an Internet Key Exchange (IKE) policy
The IKE policy defines what level of authentication and encryption protection IKE uses during phase 1 negotiations.
IKE phase 1 establishes the keys that protect the messages that flow in the subsequent phase 2 negotiations. You do not need to define an IKE policy when you create a manual connection. In addition, if you create your VPN with the New Connection wizard, the wizard can create your IKE policy for you.
VPN uses either RSA signature mode or preshared keys to authenticate phase 1 negotiations. If you plan to use digital certificates for authenticating the key servers, first configure them by using the Digital Certificate Manager
(5722-SS1 Option 34). The IKE policy also identifies which remote key server will use this policy.
To define an IKE policy or make changes to an existing one, follow these steps:
- In iSeries™ Navigator, expand your system > Network > IP Policies > Virtual Private Networking > IP Security Policies.
- To create a new policy, right-click Internet Key Exchange Policies and select New Internet Key Exchange Policy.
To make changes to an existing policy, click Internet Key Exchange Policies in the left pane then right-click the policy you want to change in the right pane, and select Properties.
- Complete each of the property sheets. Click Help if you have questions about how complete a page or any of its fields.
- Click OK to save your changes.
IBM recommends that you use main mode negotiation whenever a preshared key is used for authentication. They provide a more secure exchange. If use preshared keys and aggressive mode negotiation, select obscure passwords that are unlikely to be cracked in attacks that scan the dictionary. It is also recommended you periodically change your passwords. To force a key exchange to use main mode negotiation, perform the following tasks:
- In iSeries Navigator, expand your system > Network > IP Policies.
- Select Virtual Private Networking > IP Security Policies > Internet Key Exchange Policies to view the currently defined key exchange policies within the right-hand pane.
- Right-click a particular key exchange policy and select Properties.
- On the Transforms page, click Responding Policy.
The Responding Internet Key Exchange Policy dialog appears.
- In the Identity protection field, deselect IKE aggressive mode negotiation (no identity protection).
- Click OK to return to the Properties dialog.
- Click OK again to save your changes.
When you set the identity protection field, the change is effective for all exchanges with remote key servers, because there is only one responding IKE policy for the entire system. Main mode negotiation ensures that the initiating system can only request a main mode key policy exchange.
Parent topic:
Configuring VPN security policies
Related concepts
Key management