configure Internet key exchange security protocol
The procedure IKE configuration
This chapter discusses how to
configure Internet Key Exchange (IKE) protocol. IKE is a key management protocol
standard, used with IPSec standard. IPSec may not use IKE, but IKE enhances the
function of IPSec through the provision of extra functions, flexibility and
easier configuration of IPSec. IKE is a mixed protocol, this protocol realized
Oakley key exchange and Skeme key exchange within the framework of internet
security association and key management protocol (ISAKMP).(ISAKMP, Oakley and
Skeme are the security protocols
for IKE to be realized).
IKE can
automatically process IPSec security association (SA), no need to pre-configure
manually yet able to carry out IPSec security communication. IKE provides the
following benefits:
IKE avoids manual
setting of all IPSec security parameters in the encryption map of two sides of
communication.
IKE permits to
define life cycle of IPSec security association.
IKE permits to
change encryption key during the process of IPSec conversation.
IKE permits IPSec to
provide anti-replay service.
IKE permits dynamic authentication between the peers.
Standards supported
The router realizes
the following standards:
IPSec------IPSec is
an open standard system which provides data encryption, data integrity and data
authentication services between the peers. IPSec provides these security
services at IP level, uses IKE to negotiate protocol and algorithm, and
generates encryption and authentication key for IPSec. IPSec can be used to
protect one or more data streams between a pair of host computers, a pair of
security gateways or a security gateway and a host computer.
IKE----This mixed
protocol realizes Oakley and Skeme key exchange protocol in the ISAKMP
framework, and can be used together with other protocols, and its initial aim of
realization is to be used together with IPSec protocol. IKE provides the
authentication on the two peers on IPSec, negotiate IPSec key and IPSec security
association.
ISAKMP------This
protocol framework defines the format of payload to realize negotiation of the
mechanism of key exchange protocol and security association.
Oakley------A key
exchange protocol which defines how to acquire authentication key materials.
Skeme----A key
exchange protocol which defines how to acquire authentication key materials and
carry out quick key updating.
IKE realizing
techniques include the following contents:
DES------Data
Encryption Standard (DES).
3DES----3DES is used
to encrypt packet data.
Diffie-Hellman----A
key encrypted protocol, allows two groups to establish shared secrets on
non-secured communication channel. Diffie-Hellman uses and establishes
conversation key with IKE. The router supports 768 bit and 1024 bit
Diffie-Hellman group.
MD5 (HMAC variable)
-----MD5 is a kind of hash algorithm. HMAC is an encrypted hash variable used to
make authentication towards data.
SHA (HMAC variable) ------SHA is a kind of hash algorithm. HMAC is a encrypted hash variable used to make authentication towards data.
The procedure IKE configuration
Executes the tasks
in the following sections when configuring IKE. The tasks of the first three
sections is a must; others are optional, these all depend on the parameters
configured.
Guarantee the compatibility of access list with IKE
The clearing of IKE connection (Optional)
Regarding examples of IKE configuration, please refer to the section“Examples of IKE configuration” at the end of this section.
Guarantee
the compatibility of access list with IKE
IKE negotiates to use UDP on port 500. It guarantees that the communication on UDP port 500 is not prohibited on the interface used by IKE and IPSec. Under some circumstances, an additional rule is required in the access list to clearly permit packetsfrom UDP 500.
IKE policy is
required to establish on the two peers of IPSec. IKE policy defines the security
parameter combination used during the IKE negotiation.
In order to establish IKE policy, please take notice of the following questions:
The reasons to establish policy
Parameters defined in the policy
How
to complete a matching policy with IKE
Setting value of policy parameters
Extra
configuration required for IKE policy
创建策略的原因
The reasons to
establish policy
IKE negotiation should be protected, so each IKE negotiation starts
from achieving public IKE policy. This policy describes which security
parameters can be used to protect proceeding IKE negotiation.
After the two peers achieve a public IKE policy, the security
parameter of this policy has ISAKMP security association tag established on each
peer, during negotiation these security associations can be applied to all the
proceeding IKE communications.
Many
policies with different priorities should be established on both peers, in order
to guarantee that at least one policy can match the remote policy.
Parameters
defined in the policy
Defines 5 parameters
in each IKE policy:
Parameter |
Accepted value |
Key word |
Default value |
Encrypted algorithm |
56
bit DES-CBC 168
bit 3DES-CBC |
des 3des |
56 bit DES-CBC |
Hash algorithm |
SHA-1 MD5 |
sha md5 |
SHA-1 |
Authentication method |
Pre-shared
key RSA
signature RSA
real-time encryption |
pre-share rsa-sig rsa-encr |
Pre-share key |
Diffie-Hellman group tag |
768
bit Diffie-Hellman 1024
bit Diffie-Hellman |
1 2 |
768
bit Diffie-Hellman |
The life cycle of security association |
Can
be defined as any period of time between 60 and 86400 seconds |
- |
86400 seconds (one day) |
How
to complete a matching policy with IKE
When IKE negotiation starts, IKE is searching for an IKE policy of
the same on both peers. The peer that initiates negotiation sends all the
policies to the remote peer, but the remote peer will try to find a matching
policy. The remote peer searches for matching items via matching between the
policy with the highest priority and the received policy. The remote peer checks every policy
according to the order of priority (highest priority first) until finding a
matching policy.
It makes matching choice when policies from the both peers include
identical value of encrypted, hash, authentication and Diffied-Hellman
parameter, and the life cycle defined by the remote peer policy is less or equal
to the compared policy life cycle.
If no acceptable matching policy is found, IKE denies negotiation, and will not establish IPSec.
If a matching policy is found, IKE will complete the negotiation, and establish the IPSec security association.
NOTICE: Extra configuration of the parameter is needed according to
the different authentication methods defined by the policy.
Setting
value of policy parameters
There are two choices
for encrypted algorithm: 56 bit DES-CBC and 168-bit 3DES-CBC. 3DES-CB C is more
secure.
There are two choices
for hash algorithm: SHA-1 and MD5. MD5 has less abstract information and is
quicker than SHA-1. One of the attacks towards MD5 is proved to be successful
(but very difficult); however, the HMAC variable used by IKE can block this
attack.
There are three
choices for authentication method: currently, it only supports pre share key.
There are two choices
for Diffie-Hellman group: 768 bit or 1024 bit Diffie-Hellman. 1024bit
Diffie-Hellman is harder to attack but requires more CPU time.
The life cycle of the security association can be set as any value between 60-86400 seconds. The shorter the life cycle is, the more secure the IKE negotiation is. For longer life cycle, the latter IPSec security association can be set up quicker. For more information of this parameter and how to use it, please refer to the command description of lifetime (IKE policy) command.
The user may establish
many IKE policies, each corresponds to different parameters combination. For
each policy established, a sole priority should be assigned (1-10000, 1 stands
for the highest priority).
Multi-policy can be
set on each peer-but at least one of these policies must contain encryption,
hash, authentication and Diffie-Hellman parameter value which is identical with
one policy on remote terminal.
If no policy is set,
the router adopts a default policy which is always set to the lowest priority
and contains the default value of every parameter.
In order to set one policy, use the following commands under the global configuration mode:
Step |
command |
Objective |
1 |
crypto isakmp
policy priority |
Establishing
IKE policy (each solely tagged with priority) (this command enables you to
enter into ISAKMP policy configuration state) |
2 |
Defining
encrypted algorithm |
|
3 |
hash {sha |
md5} |
Defining
hash algorithm |
4 |
authentication { pre-share|rsa-sig|rsa-encr} |
Defining
authentication method |
5 |
group {1 | 2} |
Defining
Diffie-Hellman group |
6 |
lifetime seconds |
Defining
life cycle of IKE security association |
7 |
exit |
Exit
ISAKMP policy configuration state |
8 |
show crypto isakmp
policy |
(Optional)
Showing all existed IKE policy (Using this command under management state) |
If no value is assigned to the parameter, default value
applies.
NOTICE: When sending “show running” command, the default policy and the default value of configured policy are not shown in the configuration. Use “show crypto isakmp policy” command to check the default value of default policy and the configured policy.
Extra
configuration required for IKE policy
Pre-share key authentication method: if pre-share key is assigned
as the authentication method in the policy, pre-shared key should be equipped
accordingly.
Setting shared secret on both peers of IPSec. Pre-share key provided by the NOTICE is shared on both peers. A same key should be defined on both peers.
Using the following command under global configuration state if the user wants to reconfigure pre-share key:
Step |
command |
Objective |
1 |
crypto isakmp key keystring
peer-address |
At local peer: defining shared secret used together
with the remote peer. |
2 |
crypto isakmp key keystring
peer-address |
At remote peer: defining shared secret used together
with the local peer. |
The
clearing of IKE connection (Optional)
If required, the user
can clear the existed IKE connection. In order to clear IKE connection, the user
can use the following commands under management state:
Step |
command |
Objective |
1 |
Showing existed isakmp SA |
|
2 |
clear crypto isakmp [map map-name | peer ip-address] |
Clearing isakmp connection |
command |
Objective |
Shows parameters of IKE policy |
|
Shows all current IKE security associations |
|
Shows debug information concerning IKE |
crypto isakmp policy 10
encryption des
hash md5
authentication pre-share
group 2
lifetime 5000
crypto isakmp policy 20
authentication pre-share
lifetime 10000
crypto isakmp key 1234567890 192.168.1.3
In the above example, encryption des in policy 10 will not appear
in the written configuration, because it is the default value of encryption
algorithm parameter.
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 5000 seconds
Protection suite of priority 20
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 10000 seconds
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds。