Checking for Compatible Policies
If you have an IPSec router that will connect to many peers, you must have at least one compatible Phase 1 policy as well as one compatible Phase 2 policy. When IKE phase 1 first begins, the initiator sends all available Phase 1 policies to the receiver. The receiver matches their highest priority policies against the sender's highest priority policy. If they are compatible, that is, they match, then those policies will be used to create the IKE Phase 1 SA. If they do not match, the receiver will continue checking their highest-priority policy against the second highest priority policy of the initiator and so on until a valid match is made. The exact same thing happens for IKE Phase 2 policies.
Get SECUR Exam Cram™ 2 (Exam 642-501) now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
