configure Internet key exchange security protocol

Summarization

IKE summarization

The procedure IKE configuration

The next step

Examples of IKE configuration

 

Summarization

This chapter discusses how to configure Internet Key Exchange (IKE) protocol. IKE is a key management protocol standard, used with IPSec standard. IPSec may not use IKE, but IKE enhances the function of IPSec through the provision of extra functions, flexibility and easier configuration of IPSec. IKE is a mixed protocol, this protocol realized Oakley key exchange and Skeme key exchange within the framework of internet security association and key management protocol (ISAKMP).(ISAKMP, Oakley and Skeme are the security protocols for IKE to be realized).

IKE summarization

IKE can automatically process IPSec security association (SA), no need to pre-configure manually yet able to carry out IPSec security communication. IKE provides the following benefits:

IKE avoids manual setting of all IPSec security parameters in the encryption map of two sides of communication.

IKE permits to define life cycle of IPSec security association.

IKE permits to change encryption key during the process of IPSec conversation.

IKE permits IPSec to provide anti-replay service.

IKE permits dynamic authentication between the peers. 

 

Standards supported

The router realizes the following standards:

IPSec------IPSec is an open standard system which provides data encryption, data integrity and data authentication services between the peers. IPSec provides these security services at IP level, uses IKE to negotiate protocol and algorithm, and generates encryption and authentication key for IPSec. IPSec can be used to protect one or more data streams between a pair of host computers, a pair of security gateways or a security gateway and a host computer.

IKE----This mixed protocol realizes Oakley and Skeme key exchange protocol in the ISAKMP framework, and can be used together with other protocols, and its initial aim of realization is to be used together with IPSec protocol. IKE provides the authentication on the two peers on IPSec, negotiate IPSec key and IPSec security association.

ISAKMP------This protocol framework defines the format of payload to realize negotiation of the mechanism of key exchange protocol and security association.

Oakley------A key exchange protocol which defines how to acquire authentication key materials.

Skeme----A key exchange protocol which defines how to acquire authentication key materials and carry out quick key updating.

 

IKE realizing techniques include the following contents:

DES------Data Encryption Standard (DES).

3DES----3DES is used to encrypt packet data.

Diffie-Hellman----A key encrypted protocol, allows two groups to establish shared secrets on non-secured communication channel. Diffie-Hellman uses and establishes conversation key with IKE. The router supports 768 bit and 1024 bit Diffie-Hellman group.

MD5 (HMAC variable) -----MD5 is a kind of hash algorithm. HMAC is an encrypted hash variable used to make authentication towards data.

SHA (HMAC variable) ------SHA is a kind of hash algorithm. HMAC is a encrypted hash variable used to make authentication towards data.

 

The procedure IKE configuration

Executes the tasks in the following sections when configuring IKE. The tasks of the first three sections is a must; others are optional, these all depend on the parameters configured.

Guarantee the compatibility of access list with IKE

Establish IKE policy

The setting of pre-share key

The clearing of IKE connection (Optional)

IKE diagnosis (Optional)

 

Regarding examples of IKE configuration, please refer to the section“Examples of IKE configuration” at the end of this section.

 

Guarantee the compatibility of access list with IKE

IKE negotiates to use UDP on port 500. It guarantees that the communication on UDP port 500 is not prohibited on the interface used by IKE and IPSec. Under some circumstances, an additional rule is required in the access list to clearly permit packetsfrom UDP 500.

 

Establish IKE policy

IKE policy is required to establish on the two peers of IPSec. IKE policy defines the security parameter combination used during the IKE negotiation.

In order to establish IKE policy, please take notice of the following questions:

The reasons to establish policy

Parameters defined in the policy

How to complete a matching policy with IKE

Setting value of policy parameters

Establishing policy

Extra configuration required for IKE policy

 

创建策略的原因

The reasons to establish policy

IKE negotiation should be protected, so each IKE negotiation starts from achieving public IKE policy. This policy describes which security parameters can be used to protect proceeding IKE negotiation.

After the two peers achieve a public IKE policy, the security parameter of this policy has ISAKMP security association tag established on each peer, during negotiation these security associations can be applied to all the proceeding IKE communications.

Many policies with different priorities should be established on both peers, in order to guarantee that at least one policy can match the remote policy.

Parameters defined in the policy

Defines 5 parameters in each IKE policy:

Parameter

Accepted value

Key word

Default value

Encrypted algorithm

56 bit DES-CBC

168 bit 3DES-CBC

des

3des

56 bit DES-CBC

Hash algorithm

SHA-1

MD5

sha

md5

SHA-1

Authentication method

Pre-shared key

RSA signature

RSA real-time encryption

pre-share

rsa-sig

rsa-encr

Pre-share key

Diffie-Hellman group tag

768 bit  Diffie-Hellman

1024 bit Diffie-Hellman

1

2

768 bit Diffie-Hellman

The life cycle of security association

Can be defined as any period of time between 60 and 86400 seconds

-

86400 seconds (one day)

 

How to complete a matching policy with IKE

When IKE negotiation starts, IKE is searching for an IKE policy of the same on both peers. The peer that initiates negotiation sends all the policies to the remote peer, but the remote peer will try to find a matching policy. The remote peer searches for matching items via matching between the policy with the highest priority and the received policy. The remote peer checks every policy according to the order of priority (highest priority first) until finding a matching policy.

It makes matching choice when policies from the both peers include identical value of encrypted, hash, authentication and Diffied-Hellman parameter, and the life cycle defined by the remote peer policy is less or equal to the compared policy life cycle.

If no acceptable matching policy is found, IKE denies negotiation, and will not establish IPSec.

If a matching policy is found, IKE will complete the negotiation, and establish the IPSec security association.

NOTICE: Extra configuration of the parameter is needed according to the different authentication methods defined by the policy.

Setting value of policy parameters

There are two choices for encrypted algorithm: 56 bit DES-CBC and 168-bit 3DES-CBC. 3DES-CB C is more secure.

There are two choices for hash algorithm: SHA-1 and MD5. MD5 has less abstract information and is quicker than SHA-1. One of the attacks towards MD5 is proved to be successful (but very difficult); however, the HMAC variable used by IKE can block this attack.

There are three choices for authentication method: currently, it only supports pre share key.

There are two choices for Diffie-Hellman group: 768 bit or 1024 bit Diffie-Hellman. 1024bit Diffie-Hellman is harder to attack but requires more CPU time.

The life cycle of the security association can be set as any value between 60-86400 seconds. The shorter the life cycle is, the more secure the IKE negotiation is. For longer life cycle, the latter IPSec security association can be set up quicker. For more information of this parameter and how to use it, please refer to the command description of lifetime (IKE policy) command.

Establishing policy

The user may establish many IKE policies, each corresponds to different parameters combination. For each policy established, a sole priority should be assigned (1-10000, 1 stands for the highest priority).

Multi-policy can be set on each peer-but at least one of these policies must contain encryption, hash, authentication and Diffie-Hellman parameter value which is identical with one policy on remote terminal.

If no policy is set, the router adopts a default policy which is always set to the lowest priority and contains the default value of every parameter.

In order to set one policy, use the following commands under the global configuration mode:

Step

command

Objective

1

crypto isakmp policy priority

Establishing IKE policy (each solely tagged with priority) (this command enables you to enter into ISAKMP policy configuration state)

2

encryption {des|3des}

Defining encrypted algorithm

3

hash {sha | md5}

Defining hash algorithm

4

authentication  { pre-share|rsa-sig|rsa-encr}

Defining authentication method

5

group {1 | 2}

Defining Diffie-Hellman group

6

lifetime seconds

Defining life cycle of IKE security association

7

exit

Exit ISAKMP policy configuration state

8

show crypto isakmp policy

(Optional) Showing all existed IKE policy (Using this command under management state)

If no value is assigned to the parameter, default value applies.

NOTICE: When sending “show running” command, the default policy and the default value of configured policy are not shown in the configuration. Use “show crypto isakmp policy” command to check the default value of default policy and the configured policy.

Extra configuration required for IKE policy

Pre-share key authentication method: if pre-share key is assigned as the authentication method in the policy, pre-shared key should be equipped accordingly.

 

The setting of pre-share key

Setting shared secret on both peers of IPSec. Pre-share key provided by the NOTICE is shared on both peers. A same key should be defined on both peers.

Using the following command under global configuration state if the user wants to reconfigure pre-share key:

 

Step

command

Objective

1

crypto isakmp key keystring peer-address

At local peer: defining shared secret used together with the remote peer.

2

crypto isakmp key keystring peer-address

At remote peer: defining shared secret used together with the local peer.

 

The clearing of IKE connection (Optional)

If required, the user can clear the existed IKE connection. In order to clear IKE connection, the user can use the following commands under management state:

Step

command

Objective

1

show crypto isakmp sa

Showing existed isakmp SA

2

clear crypto isakmp [map map-name | peer ip-address]

Clearing isakmp connection

 

IKE diagnosis (Optional)

In order to get help from IKE diagnosis, the user can use the following commands under management state:

 

command

Objective

show crypto isakmp policy

Shows parameters of IKE policy

show crypto isakmp sa

Shows all current IKE security associations

debug crypto isakmp

Shows debug information concerning IKE

 

The next step

After completing IKE configuration, the user can configure IPSec. Please refer to “Configuring IPSEC”

Examples of IKE configuration

This example established two IKE policies, policy 10 with the highest priority and policy 20 with the second highest priority, default priority is set as the lowest. Meanwhile, the policy establishes a pre-share key to be used together with the remote policy with IP address of 192.168.1.3.

 

crypto isakmp policy 10

encryption des

hash md5

authentication pre-share

group 2

lifetime 5000

crypto isakmp policy 20

authentication pre-share

lifetime 10000

crypto isakmp key 1234567890 192.168.1.3

 

In the above example, encryption des in policy 10 will not appear in the written configuration, because it is the default value of encryption algorithm parameter.

If the user sends “show crypto isakmp policy” command with this configuration, the router may produce output in the following form:

Protection suite of priority 10

     encryption algorithm:    DES  - Data Encryption Standard (56 bit keys).

     hash algorithm:          Message Digest 5

     authentication method:   Pre-Shared Key

     Diffie-Hellman group:    #1 (768 bit)

     lifetime:                5000 seconds

Protection suite of priority 20

     encryption algorithm:    DES  - Data Encryption Standard (56 bit keys).

     hash algorithm:          Secure Hash Standard

     authentication method:   Pre-Shared Key

     Diffie-Hellman group:    #1 (768 bit)

     lifetime:                10000 seconds

Default protection suite

     encryption algorithm:    DES  - Data Encryption Standard (56 bit keys).

     hash algorithm:          Secure Hash Standard

     authentication method:   Pre-Shared Key

     Diffie-Hellman group:    #1 (768 bit)

     lifetime:                86400 seconds