|
|
IKE is a key management protocol standard that is used in conjunction with the IPSec standard.
IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard.
IKE is a hybrid protocol, which implements the Oakley key exchange and Skeme key exchange inside the ISAKMP framework. (ISAKMP, Oakley, and Skeme are security protocols implemented by IKE.) IKE automatically negotiates IPSec security associations and enables IPSec secure communications without manual preconfiguration.
Specifically, IKE provides these benefits:
This chapter includes the following sections, which provide background you will need to know prior to configuring IKE on a PIX Firewall:
For the IKE configuration steps, see "Configuring IKE."
You must create IKE policies at each peer. An IKE policy defines a combination of security parameters to be used during IKE negotiation.
To create an IKE policy, follow the guidelines provided in the following sections:
IKE negotiations must be protected, so each IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states which security parameters will be used to protect subsequent IKE negotiations.
After the two peers agree upon a policy, the security parameters of the policy are identified by a security association established at each peer, and these security associations apply to all subsequent IKE traffic during the negotiation.
You can create multiple, prioritized policies at each peer to ensure that at least one policy will match a remote peer's policy.
There are five parameters to define in each IKE policy. These parameters apply to the IKE negotiations when the IKE security association is established. Table 3-1 provides the five IKE policy parameters and their accepted values.
| Parameter | Accepted Values | Keyword | Default Value |
|---|---|---|---|
encryption algorithm | 56-bit DES-CBC | des 3des | 56-bit DES-CBC
|
hash algorithm | SHA-1 (HMAC variant) MD5 (HMAC variant) | sha md5 | |
authentication method | RSA signatures pre-shared keys | rsa-sig pre-share | RSA signatures |
Diffie-Hellman group identifier | 768-bit Diffie-Hellman or 1024-bit Diffie-Hellman | 1 2 | 768-bit Diffie-Hellman |
security association's lifetime | can specify any number of seconds | - | 86,400 seconds (one day) |
When the IKE negotiation begins, IKE looks for an IKE policy that is the same on both peers. The peer that initiates the negotiation will send all its policies to the remote peer, and the remote peer will try to find a match. The remote peer looks for a match by comparing its own highest priority policy against the other peer's received policies. The remote peer checks each of its policies in order of its priority (highest priority first) until a match is found.
A match is made when both policies from the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values, and when the remote peer's policy specifies a lifetime less than or equal to the lifetime in the policy being compared. (If the lifetimes are not identical, the shorter lifetime—from the remote peer's policy—will be used.)
If no acceptable match is found, IKE refuses negotiation and IPSec will not be established.
If a match is found, IKE will complete negotiation, and IPSec security associations will be created.
 |
Note Depending on which authentication method is specified in a policy, additional configuration might be required (as described in the section "Additional Configuration Required for IKE Policies"). If a peer's policy does not have the required companion configuration, the peer will not submit the policy when attempting to find a matching policy with the remote peer. |
You can select certain values for each parameter, per the IKE standard. But why chose one value over another?
If you are interoperating with a peer that supports only one of the values for a parameter, your choice is limited to the other peer's supported value. Aside from this, there is often a trade-off between security and performance, and many of these parameter values represent such a trade-off. You should evaluate the level of your network's security risks and your tolerance for these risks.
The following tips might help you select which value to specify for each parameter.
You can create multiple IKE policies, each with a different combination of parameter values. For each policy that you create, you assign a unique priority (1 through 65,534, with 1 being the highest priority).
You can configure multiple policies on each peer—but at least one of these policies must contain exactly the same encryption, hash, authentication, and Diffie-Hellman parameter values as one of the policies on the remote peer. (The lifetime parameter does not necessarily have to be the same; see details in the section "How Do IKE Peers Agree upon a Matching Policy?".)
If you do not configure any policies, your PIX Firewall will use the default policy, which is always set to the lowest priority, and which contains each parameter's default value.
If you do not specify a value for a parameter, the default value is assigned.
Depending on which authentication method you specify in your IKE policies, you need to do certain additional configuration before IKE and IPSec can successfully use the IKE policies.
Each authentication method requires additional companion configuration as follows:
|
Note If you enable the Extended Authentication (Xauth) and IKE Mode Config features for the VPN client peers, and you have security gateway and VPN client peers terminating IPSec on the same interface, configure to make exceptions to these features for each security gateway. See the sections "Configuring Extended Authentication" and "Configuring IKE Mode Config (Dynamic IP Address Assignment for VPN Client)" in "Advanced Configurations," for more information. |
To configure pre-shared keys, perform one or both of the following tasks at each peer. See "Configuring IKE Pre-Shared (Authentication) Keys Manually" within "Configuring IKE," for the steps involved in configuring pre-shared keys.
Posted: Thu Aug 31 19:49:03 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.