Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software
Information About Implementing IKE Security Protocol Configurations for IPSec Networks
SC-108
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
OL-20382-01
• SHA (HMAC variant)—Secure Hash Algorithm. A hash algorithm used to authenticate packet
data. HMAC is a variant that provides an additional level of hashing.
• RSA signatures and RSA encrypted nonces—RSA is the public key cryptographic system
developed by Ron Rivest, Adi Shamir, and Leonard Adelman. RSA signatures provide
nonrepudiation, and RSA encrypted nonces provide repudiation. (Repudiation and nonrepudiation
are associated with traceability.)
IKE interoperates with the X.509v3 certificates standard. It is used with the IKE protocol when
authentication requires public keys. This certificate support allows the protected network to scale by
providing the equivalent of a digital ID card to each device. When two devices want to communicate,
they exchange digital certificates to prove their identity; thus, removing the need to manually exchange
public keys with each peer or to manually specify a shared key at each peer.
Concessions for Not Enabling IKE
IKE is disabled by default in Cisco IOS XR software. If you do not enable IKE, you must make these
concessions at the peers:
• You must manually specify all IPSec security associations in the crypto profiles at all peers. (Crypto
profile configuration is described in the module Implementing IPSec Network Security on
Cisco
IOS XR Software in System Security Configuration Guide.)
• The IPSec security associations of the peers never time out for a given IPSec session.
• During IPSec sessions between the peers, the encryption keys never change.
• Anti-replay services are not available between the peers.
• Certification authority (CA) support cannot be used.
IKE Policies
You must create IKE policies at each peer. An IKE policy defines a combination of security parameters
to be used during the IKE negotiation.
Before you create and configure IKE policies you should understand the following concepts:
• IKE Policy Creation, page 108
• Definition of Policy Parameters, page 109
• IKE Peer Agreement for Matching Policies, page 109
• Limitation of an IKE Peer to a Specific Set of Policies, page 110
• Value Selection for Parameters, page 110
• Policy Creation, page 111
• Additional Configuration Required for IKE Policies, page 112
IKE Policy Creation
IKE negotiations must be protected, so each IKE negotiation begins by agreement of both peers on a
common (shared) IKE policy. This policy states which security parameters will be used to protect
subsequent IKE negotiations and mandates how the peers are authenticated.
To Next Page
Loading...
Need help?
General
