The IKE policy defines what level of authentication and encryption
protection IKE uses during phase 1 negotiations.
IKE phase 1 establishes the keys that protect the messages that
flow in the subsequent phase 2 negotiations. You do not need to define an
IKE policy when you create a manual connection. In addition, if you create
your VPN with the New Connection wizard, the wizard can create your IKE policy
for you.
VPN uses either RSA signature mode or preshared keys to authenticate
phase 1 negotiations. If you plan to use digital certificates for authenticating
the key servers, you must first configure them by using the Digital Certificate Manager
(5722-SS1 Option 34). The IKE policy also identifies which remote key server
will use this policy.
To define an IKE policy or make changes to an
existing one, follow these steps:
- In iSeries™ Navigator, expand
your .
- To create a new policy, right-click Internet Key Exchange
Policies and select New Internet Key Exchange Policy.
To make changes to an existing policy, click Internet Key Exchange
Policies in the left pane then right-click the policy you want
to change in the right pane, and select Properties.
- Complete each of the property sheets. Click Help if
you have questions about how complete a page or any of its fields.
- Click OK to save your changes.
It is recommended that you use main mode negotiation whenever a preshared
key is used for authentication. They provide a more secure exchange. If you
must use preshared keys and aggressive mode negotiation, select obscure passwords
that are unlikely to be cracked in attacks that scan the dictionary. It is
also recommended you periodically change your passwords. To force a key exchange
to use main mode negotiation, perform the following tasks:
- In iSeries Navigator, expand your
server
- Select to view the currently defined key exchange
policies within the right-hand pane.
- Right-click a particular key exchange policy and select Properties.
- On the Transforms page, click Responding Policy.
The Responding Internet Key Exchange Policy dialog appears.
- In the Identity protection field, deselect IKE aggressive mode
negotiation (no identity protection).
- Click OK to return to the Properties dialog.
- Click OK again to save your changes.
Note: When you set the identity protection field, the change is effective
for all exchanges with remote key servers, because there is only one responding
IKE policy for the entire system. Main mode negotiation ensures that the initiating
system can only request a main mode key policy exchange.