4.2.a Implement and troubleshoot IPsec with preshared key

from the horse’s mouth:


To define an IKE proposal, you must specify:

A unique priority (1 through 65,543, with 1 the highest priority).

An encryption method for the IKE negotiation, to protect the data and ensure privacy.

A Hashed Message Authentication Codes (HMAC) method (called integrity algorithm in IKEv2) to ensure the identity of the sender, and to ensure that the message has not been modified in transit.

For IKEv2, a separate pseudo-random function (PRF) used as the algorithm to derive keying material and hashing operations required for the IKEv2 tunnel encryption. The options are the same as those used for the hash algorithm;

A Diffie-Hellman group to determine the strength of the encryption-key-determination algorithm. The device uses this algorithm to derive the encryption and hash keys. 

An authentication method, to ensure the identity of the peers.

A limit to the time the device uses an encryption key before replacing it.

ie: h a g l e
R8(config)#crypto isakmp enable
R8(config)#crypto isakmp policy 10
R8(config-isakmp)#hash ?
md5     Message Digest 5
sha     Secure Hash Standard
sha256  Secure Hash Standard 2 (256 bit)
sha384  Secure Hash Standard 2 (384 bit)
sha512  Secure Hash Standard 2 (512 bit)R8(config-isakmp)#hash sha
R8(config-isakmp)#authenti ?
pre-share  Pre-Shared Key
rsa-encr   Rivest-Shamir-Adleman Encryption
rsa-sig    Rivest-Shamir-Adleman SignatureR8(config-isakmp)#authenti pre-share
R8(config-isakmp)#group ?
1   Diffie-Hellman group 1 (768 bit)
14  Diffie-Hellman group 14 (2048 bit)
15  Diffie-Hellman group 15 (3072 bit)
16  Diffie-Hellman group 16 (4096 bit)
19  Diffie-Hellman group 19 (256 bit ecp)
2   Diffie-Hellman group 2 (1024 bit)
20  Diffie-Hellman group 20 (384 bit ecp)
24  Diffie-Hellman group 24 (2048 bit, 256 bit subgroup)
5   Diffie-Hellman group 5 (1536 bit)

R8(config-isakmp)#group 5
R8(config-isakmp)#lifetime ?
<60-86400>  lifetime in seconds

R8(config-isakmp)#lifetime 3600
R8(config-isakmp)#encry ?
3des  Three key triple DES
aes   AES – Advanced Encryption Standard.
des   DES – Data Encryption Standard (56 bit keys).

R8(config-isakmp)#encry aes 256