Specifications

ManualsBrandsEfficient Networks ManualsComputer equipmentRouter family Command line interface

131

132

133

134

135

136

137

138

139

140

138 Chapter 5. Configuring Software Options

Additional IKE Settings

In addition to the peer identification and shared secret described earlier, IKE requires that the router be configured

with the following information:

¥ Session authentication

¥ Phase 1 IKE message authentication

¥ Phase 1 IKE message encryption

¥ One of the following for each IKE proposal:

ÑIPSec AH packet authentication

ÑIPSec ESP data authentication

ÑIPSec ESP data encryption

ÑIPSec ESP data authentication and data encryption

¥ Diffie-Hellman key generation group

¥ IPSec policy (filter) setup

¥ Policy and peer associations

¥ Policy and proposal associations

Security Associations (SAs)

A Security Association (SA) is an instance of security policy and keying material applied to a data flow. Both IKE

and IPSec use SAs. An IPSec SA is unidirectional, applying to only one direction of data flow. An IKE SA is bi-

directional, and thus, only one IKE SA is needed for a secure connection.

After an IKE SA is established, any number of IPSec SAs may be created. Although IPSec SAs can be configured

manually, most networks rely on IKE to set them up. IKE negotiates and establishes SAs on behalf of IPSec. SAs

are negotiated between the two endpoints of the tunnel and contain information on sequence numbering for anti-

replay.

IPSec SAs are unidirectional so a set of SAs is needed for a secure connection. For each security protocol used,

one SA is needed for each direction (inbound and outbound). Usually, only one protocol (ESP or AH) is used so

the connection would use two SAs (one inbound and one outbound). However, it is possible for a connection to

use four SAs if it uses two proposals and policies, one requiring the ESP protocol and the other requiring the AH

protocol.

IKE negotiates SAs in the following sequence:

Phase 1 IKE:

The session initiator creates a cookie and sends it to the responder, with a zero placeholder in the responder

cookie area. The responder then creates a cookie and fills in the zeros. All packets will contain these two

cookies until the Phase 1 SA expires. IKE Peer commands next establish the identity of local and remote

peers. Then IKE Proposal commands specify how packets will be encrypted and/or authenticated for the

initial exchange.

Phase 2 IKE

IKE IPSec Proposal commands specify how packets will be encrypted/authenticated for the final SA. Then

IKE IPSec Policy commands specify which packets will be encrypted/authenticated for the final SA.