Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software
Information About Implementing IKE Security Protocol Configurations for IPSec Networks
SC-109
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
OL-20382-01
After the two peers agree on a policy, the security parameters of the policy are identified by a security
association established at each peer, and these security associations apply to all subsequent IKE traffic
during the negotiation.
You can create multiple, prioritized policies at each peer to ensure that at least one policy matches the
policy of a remote peer.
Definition of Policy Parameters
Table 1 lists the five parameters to define in each IKE policy.
These parameters apply to the IKE negotiations when the IKE security association is established.
IKE Peer Agreement for Matching Policies
When the IKE negotiation begins, IKE looks for an IKE policy that is the same on both peers. The peer
that initiates the negotiation sends all its policies to the remote peer, and the remote peer will try to find
a match. The remote peer looks for a match by comparing its own highest priority policy (designated by
the lowest priority number) against the policies received from the other peer. The remote peer checks
each of its policies in order of its priority (highest priority first) until a match is found.
A match is made when both policies from the two peers contain the same encryption, hash,
authentication, and Diffie-Hellman parameter values, and when the remote peer policy specifies a
lifetime that is less than or equal to the lifetime in the policy being compared. (If the lifetimes are not
identical, the shorter lifetime—from the remote peer’s policy—is used.)
Ta b l e 1 IKE Policy Parameter Definitions
Parameter Accepted Values Keyword Default Value
Encryption algorithm 56-bit DES-CBC
168-bit DES
128-bit AES
192-bit AES
256-bit AES
des
3des
aes
aes 192
aes 256
56-bit DES-CBC
Hash algorithm SHA-1 (HMAC variant)
MD5 (HMAC variant)
sha
md5
SHA-1
Authentication method RSA signatures
RSA encrypted nonces
Preshared keys
rsa-sig
rsa-encr
pre-share
RSA signatures
Diffie-Hellman group
identifier
768-bit Diffie-Hellman or
1024-bit Diffie-Hellman
1536-bit Diffie-Hellman
1
2
5
768-bit Diffie-Hellman
Lifetime of the security
association
1
1. For information about this lifetime and how it is used, see the command description for the lifetime command.
Any number of seconds — 86400 seconds (1 day)
To Next Page
Loading...
Need help?
General
