Which of the following statements is true regarding the SA lifetime specified in a matching IKE policy? (Select the best answer.)
- The value specified by the remote peer must be equal to the value specified by the local peer.
- The value specified by the remote peer must be less than or equal to the value specified by the local peer.
- The value specified by the remote peer must be greater than or equal to the value specified by the local peer.
- The value specified by the remote peer must be less than the value specified by the local peer.
- The value specified by the remote peer must be greater than the value specified by the local peer.
In an Internet Key Exchange (IKE) policy, the security association (SA) lifetime specified by the remote peer must be less than or equal to the value specified by the local peer. Virtual private network (VPN) peers establish a connection through a series of negotiations and authentications. Initially, the VPN peers negotiate an IKE SA and establish a tunnel for key management and authentication. This initial phase is referred to as IKE phase 1. The key management tunnel is used to protect the subsequent negotiation of IP Security (IPSec) SAs. This secondary negotiation phase is referred to as IKE phase 2.
Each VPN peer defines a collection of security parameters in an IKE policy. These parameters are used to negotiate the creation of the key management tunnel in IKE phase 1. There are six required parameters in an IKE policy:
Policy priority – specifies the order in which policies are negotiated with a peer
Authentication method – indicates whether a preshared key or an RSA digital certificate is used to verify the identity of an IKE peer
Encryption algorithm – indicates the data protection method used to secure IKE traffic
Hashbased Message Authentication Code (HMAC) algorithm – indicates the data integrity method used to verify the integrity of IKE traffic
DiffieHellman (DH) group – specifies how keying material is generated between IKE peers
Lifetime – specifies the length of time that a key is considered valid? the default is 86,400 seconds, or 24 hours
If an IKE policy does not specify a parameter and its associated value, the VPN peer will use the default value by default. For example, the default IKE policy settings for a Cisco Apative Security Appliance (ASA) running software revision 8.4 or higher are shown below:
The default IKE policy settings are combined with the configuration parameters specified in the running configuration. For example, because the following block of commands does not specify an HMAC algorithm, the ASA would use the default value, which is SHA1:
ASA(config)#crypto ikev1 policy 1 ASA(configikev1policy)#authentication rsasig ASA(configikev1policy)#encryption aes 192 ASA(configikev1policy)#group 1 ASA(configikev1policy)#lifetime 14400
In order for VPN peers to successfully negotiate a key management tunnel during IKE phase 1, the peers must agree on security parameters. For example, when ASA1 sends an IKE policy proposal to ASA2, the IKE policy is compared with the IKE policies defined on ASA2. The proposed policy must be an exact match to one of ASA2’s locally defined policies? otherwise, it will be rejected. The one exception to this rule is the value of the IKE lifetime parameter. An IKE lifetime is considered a match if the value is less than or equal to the IKE lifetime defined in the local policy. If the IKE lifetime value is less than that of the local policy, the router will use the lesser of the two values. For example, when ASA1 initiates a connection to ASA2, ASA1 will only consider lifetime values from ASA2’s policies as matching if they are less than or equal to 14,400 seconds.