Start with a Plan

The first thing to plan is what protocols to use for IKE Phase 1 and IKE Phase 2 and to identify which traffic should be encrypted.

From the earlier topology, let’s agree to encrypt any traffic from the 10.0.0.0/24 network behind R1 if those packets are going to 172.16.0.0/24 behind R2 and packets in the other direction from 172.16.0.0/24 to 10.0.0.0/24.

For IKE Phase 1, let’s use the following:

H: For hashing, we can use MD5 (128 bits) or SHA-1 (160 bits). Let’s go for MD5 for IKE Phase 1.

A: Authentication. We can use PSKs or digital certificates. Let’s start off with PSKs (a password really) for authentication.

G: For DH group, we can use 1, 2, or 5 on most routers. Let’s use group 2 in this example. If your router supports group 14 or higher, the higher DH group should be used because it is more secure.

L: Lifetime defaults to one day. Let’s set the lifetime for the IKE Phase 1 to 21600 seconds (6 hours).

E: Encryption of the IKE Phase 1 can be DES, 3DES, or some flavor of AES. Let’s use 128-bit AES.

Now for Phase 2, we also need to decide on hashing and encryption at a minimum. We can use the defaults for lifetime. For hashing, let’s use SHA (just to see the difference between the hashing here and the hashing protocol in IKE Phase 1). Let’s also use AES-256 in IKE Phase 2. The policies used for IKE Phase 2 are called transform sets.