Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software
Information About Implementing IKE Security Protocol Configurations for IPSec Networks
SC-112
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
OL-20382-01
If you do not configure any policies, your router uses the default policy, which is always set to the lowest
priority and contains the default value of each parameter.
Additional Configuration Required for IKE Policies
Depending on the authentication method you specify in your IKE policies, you must perform certain
additional configuration tasks before IKE and IPSec can successfully use the IKE policies.
Each authentication method requires additional companion configuration as follows:
• RSA signatures method. If you specify RSA signatures as the authentication method in a policy, you
may configure the peers to obtain certificates from a CA. (The CA must be properly configured to
issue the certificates.) Configure this certificate support as described in the module “Implementing
Certification Authority Interoperability.”
The certificates are used by each peer to exchange public keys securely. (RSA signatures require that
each peer has the public signature key of the remote peer.) When both peers have valid certificates,
they automatically exchange public keys with each other as part of any IKE negotiation in which
RSA signatures are used.
You may also want to exchange the public keys manually, as described in the “Manually Configuring
RSA Keys” section on page 121.
• RSA encrypted nonces method. If you specify RSA encrypted nonces as the authentication method
in a policy, you must ensure that each peer has the public keys of the other peers.
Unlike RSA signatures, the RSA encrypted nonces method cannot use certificates to exchange
public keys. Instead, you ensure that each peer has the others’ public keys by one of the following
methods:
–
Manually configuring RSA keys, as described in the “Manually Configuring RSA Keys” section
on page 121.
–
Ensuring that an IKE exchange using RSA signatures with certificates has already occurred
between the peers. (The peers’ public keys are exchanged during the RSA-signatures-based IKE
negotiations if certificates are used.)
To make this happen, specify two policies: a higher-priority policy with RSA encrypted nonces
and a lower-priority policy with RSA signatures. When IKE negotiations occur, RSA signatures
are used the first time because the peers do not yet have each other’s public keys. Then future
IKE negotiations are able to use RSA encrypted nonces because the public keys will have been
exchanged.
This alternative requires that you have certification authority support configured.
• Preshared keys authentication method. If you specify preshared keys as the authentication method
in a policy, you must configure these preshared keys as described in the
“Configuring ISAKMP
Preshared Keys in ISAKMP Keyrings” section on page 128.
If RSA encryption is configured and signature mode is negotiated (and certificates are used for signature
mode), the peer requests both signature and encryption keys. Basically, the router requests as many keys
as the configuration supports. If RSA encryption is not configured, it just requests a signature key.
ISAKMP Identity
You should set the ISAKMP identity for each peer that uses preshared keys in an IKE policy.
To Next Page
Loading...
Need help?
General
