|
|
Internet Key Exchange (IKE) Mode Configuration, as defined by the Internet Engineering Task Force (IETF), allows a gateway to download an IP address (and other network level configuration) to the client as part of an IKE negotiation. Using this exchange, the gateway gives IP addresses to the IKE client to be used as an "inner" IP address encapsulated under IPSec. This provides a known IP address for the client which can be matched against Internet Protocol Security (IPSec) policy.
This feature implements IKE Mode Configuration into existing Cisco IOS IPSec software images. Using IKE Mode Configuration, you can configure a Cisco access server to download an IP address to a client as part of an IKE transaction.
To implement IPSec Virtual Private Networks (VPNs) between remote access clients with dynamic IP addresses and a corporate gateway, you have to dynamically administer scalable IPSec policy on the gateway once each client is authenticated. With IKE Mode Configuration, the gateway can set up scalable policy for a very large set of clients irrespective of the IP addresses of those clients.
IKE Mode Configuration has the following restrictions:
 | Caution Cisco IOS images with strong encryption (including, but not limited to, 56-bit data encryption feature sets) are subject to United States government export controls, and have a limited distribution. Images to be installed outside the United States require an export license. Customer orders might be denied or subject to delay due to United States government regulations. Contact your sales representative or distributor for more information, or send e-mail to export@cisco.com. |
For related information on the IKE Mode Configuration feature, refer to the following documents:
None
For descriptions of supported MIBs and how to use MIBs, see Cisco's MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFC 2119
RFC 2131
RFC 2251
RFC 2138
client---Node or software program (front-end device) that requests services from a server.
gateway---A device, usually a Cisco access server, that performs an application layer conversion from one protocol stack to another.
IP Security Protocol---See IPSec.
IPSec---A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer; it uses IKE to handle negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
IKE---A key management protocol standard which is used in conjunction with the IPSec standard. IPSec is an IP security feature that provides robust authentication and encryption of IP packets. IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. IKE is a hybrid protocol which implements the Oakley key exchange and Skeme key exchange inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. (ISAKMP, Oakley, and Skeme are security protocols implemented by IKE.)
Internet Key Exchange---See IKE.
VPN---Enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses "tunneling" to encrypt all information at the IP level.
Virtual Private Network---See VPN.
To configure a Cisco router to support IKE Mode Configuration, perform the following tasks:
There are two types of IKE Mode Configuration for VPN:
There are two steps to configuring IKE Mode Configuration on your router:
To configure IKE Mode Configuration on your Cisco router, use the following commands in global configuration mode:
| Step | Command | Purpose | ||
|---|---|---|---|---|
| router(config)# ip local pool <pool-name> <start-addr> <end-addr> | Existing local address pools are used to define a set of addresses. To define a local address pool, use the existing ip local pool command. For more information on the ip local pool command, refer to the Cisco IOS Release 12.0 command references. | ||
| router(config)# crypto isakmp client configuration address-pool local <pool-name> | The local pool references the IKE configuration. To reference this local address pool in the IKE configuration, use the new crypto isakmp client configuration address-pool local command. For more information on the crypto isakmp client configuration address-pool local command, refer to the "Command Reference". | ||
| router(config)# crypto map <map-name> client configuration address < initiate | respond > | To configure IKE Mode Configuration, use the new crypto map client configuration address command. For more information on the crypto map client configuration address command, refer to the "Command Reference". |
Step 1 To verify IKE Mode Configuration is configured, you must check the router's running configuration. Enter the show running-config command on the router in global configuration mode.
Step 2 Verify IKE Mode Configuration by comparing the configuration with the example shown in "Configuration Example".
The following example is partial output from the show running-config global configuration command. This configuration shows a Cisco router with IPSec that has been configured to do the following:
crypto isakmp client configuration address-pool local ire crypto ipsec transform-set pc esp-des esp-md5-hmac crypto dynamic-map dyn 10 set transform-set pc match address 103 crypto map dyn client configuration address initiate crypto map dyn client configuration address respond crypto map dyn 10 ipsec-isakmp dynamic dyn interface Ethernet1/0 ip address 172.21.230.34 255.255.255.224 crypto map dyn ip local pool ire 171.72.1.1 171.72.1.254 access-list 103 permit ip host 172.21.230.34 171.72.1.0 0.0.0.255
This section documents new commands for this feature. All other commands used to configure this feature are documented in the Cisco IOS Release 12.0 command references.
To configure the IP address local pool to reference IKE on your router, use the crypto isakmp client configuration address-pool local global configuration command. Use the no form of this command to restore the default value.
crypto isakmp client configuration address-pool local <pool-name>
pool-name | Specifies the name of a local address pool. |
IP address local pools do not reference IKE.
Global configuration.
| Release | Modification |
|---|---|
12.0(4)XE | This command was first introduced into Cisco IOS Release 12.0(4)XE. |
12.0(7)T | This command was first introduced into Cisco IOS Release 12.0(7)T. |
None.
The following example references IP address local pools to IKE on your router, with "ire" as the pool-name.
router(config)# crypto isakmp client configuration address-pool local ire
| Command | Description |
ip local pool | Configure a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface using the ip local pool command. To delete an address pool, use the no form of this command. |
To configure IKE Mode Configuration on your router, use the crypto map client-configuration address global configuration command. Use the no form of this command to restore the default value.
crypto map <map-name> client configuration address < initiate | respond >
map-name | The name which identifies the crypto map set. This is the name assigned when the crypto map was created. |
initiate | A keyword that indicates the router will attempt to set IP addresses for each peer. |
respond | A keyword that indicates the router will accept requests for IP addresses from any requesting peer. |
IKE Mode Configuration is not enabled.
Global configuration.
| Release | Modification |
|---|---|
12.0(4)XE | This command was first introduced into Cisco IOS Release 12.0(4)XE. |
12.0(7)T | This command was first introduced into Cisco IOS Release 12.0(7)T. |
At the time of this publication, this feature is an IETF draft with limited support. Therefore this feature was not designed to enable the configuration mode for every IKE connection by default.
The following examples configure IKE Mode Configuration on your router, with "dyn" as the map-name.
router(config)# crypto map dyn client configuration address initiate router(config)# crypto map dyn client configuration address respond
| Command | Description |
crypto map (global configuration) | Create or modify a crypto map definition and enter the crypto map configuration mode using the crypto map global configuration command. Use the no form of this command to delete a crypto map definition. |
Posted: Wed Jan 19 17:38:44 PST 2000
Copyright 1989 - 2000©Cisco Systems Inc.