Product specifications
Efficient Networks
®
Router family
Technical Reference Guide
Chapter 5: System Security
Efficient Networks
®
Page 5-55
Additional IKE Settings
In addition to the peer identification and shared secret described earlier, IKE requires
that the router be configured with the following information:
• Session authentication
• Phase 1 IKE message authentication
• Phase 1 IKE message encryption
• One of the following for each IKE proposal:
– IPSec AH packet authentication
– IPSec ESP data authentication
– IPSec ESP data encryption
– IPSec ESP data authentication and data encryption
• Diffie-Hellman key generation group
• IPSec policy (filter) setup
• Policy and peer associations
• Policy and proposal associations
Security Associations (SAs)
A Security Association (SA) is an instance of security policy and keying material
applied to a data flow. Both IKE and IPSec use SAs. An IPSec SA is unidirectional,
applying to only one direction of data flow. An IKE SA is bi-directional, and thus, only
one IKE SA is needed for a secure connection.
After an IKE SA is established, any number of IPSec SAs may be created. Although
IPSec SAs can be configured manually, most networks rely on IKE to set them up.
IKE negotiates and establishes SAs on behalf of IPSec. SAs are negotiated between
the two endpoints of the tunnel and contain information on sequence numbering for
anti-replay.
IPSec SAs are unidirectional so a set of SAs is needed for a secure connection. For
each security protocol used, one SA is needed for each direction (inbound and
outbound). Usually, only one protocol (ESP or AH) is used so the connection would
use two SAs (one inbound and one outbound). However, it is possible for a
connection to use four SAs if it uses two proposals and policies, one requiring the
ESP protocol and the other requiring the AH protocol.
IKE negotiates SAs in the following sequence:
Phase 1 IKE: