Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software
Information About Implementing IKE Security Protocol Configurations for IPSec Networks
SC-30
Cisco IOS XR System Security Configuration Guide
Internet Key Exchange Extended Authentication
IKE extended authentication (Xauth) is a draft RFC based on the IKE protocol. Xauth allows all
Cisco IOS XR software AAA authentication methods to perform user authentication in a separate phase
after the IKE authentication phase 1 exchange. The AAA configuration list name must match the Xauth
configuration list name for user authentication to occur.
Xauth does not replace IKE. IKE allows for device authentication and Xauth allows for user
authentication, which occurs after IKE device authentication. Xauth occurs after IKE authentication
phase 1 but before IKE IPSec SA negotiation phase 2.
To configure Xauth, perform the following tasks:
• Configure AAA (you must set up an authentication list).
• Configure a static crypto ISAKMP profile.
• Configure ISAKMP policy.
• Configure a dynamic crypto ISAKMP profile (optional).
For information on configuring crypto ISAKMP profiles, see the “Configuring the ISAKMP Profile for
Locally Sourced and Destined Traffic” section on page 58.
Call Admission Control
The Call Admission Control (CAC) for Internet Key Exchange (IKE) feature describes the application
of CAC to the IKE protocol in Cisco IOS XR software. CAC limits the number of simultaneous IKE
security associations (SAs) (that is, calls to CAC) that a router can establish. In addition, there is an
option to limit the maximum number of active IKE SAs allowed in the system and the CPU usage that
is consumed by the IKE process or global CPU. The main function of CAC is to protect the router from
severe resource depletion and to prevent crashes.
IKE Session
You can configure the absolute IKE SA limit by using the crypto isakmp call admission limit
command. The router drops new IKE SA requests when the value has been reached.
Security Association Limit
A security association (SA) is a description of how two or more entities use security services to
communicate securely on behalf of a particular data flow. IKE requires and uses SAs to identify the
parameters of its connections. IKE can negotiate and establish its own SA. An IKE SA is used by IKE
only, and it is bidirectional. An IKE SA cannot limit IPsec.
IKE drops SA requests based on a user-configured SA limit. To configure an IKE SA limit, use the
crypto isakmp call admission limit command. When there is a new SA request from a peer router, IKE
determines if the number of active IKE SAs plus the number of SAs being negotiated meets or exceeds
the configured SA limit. If the number is greater than or equal to the limit, the new SA request is rejected
and a system log is generated. This log contains the source destination IP address of the SA request.
To Next Page
Loading...
Need help?
General
