Manualshelf

User guide

ManualsBrandsEfficient Networks ManualsComputer equipmentRouter family Command line interface
121122123124125126127128129130
Chapter 4. Configuring Special Features 123
Security Associations (SAs)
A Security Association (SA) is an instance of security policy and keying material applied to a data flow. Both IKE
and IPSec use SAs. An IKE SA is used by IKE only, and unlike IPSec SAs, it is bi-directional. Because it is bi-
directional, only one IKE SA is needed for a secure connection.
After an IKE SA is established, any number of IPSec SAs may be created. Although IPSec SAs can be configured
manually, most networks rely on IKE to set them up. IKE negotiates and establishes SAs on behalf of IPSec. SAs
are negotiated between the two endpoints of the tunnel and contain information on sequence numbering for anti-
replay.
IPSec SAs are unidirectional so a set of SAs is needed for a secure connection, one per direction (inbound and
outbound) per protocol. If a connection uses both ESP and AH security protocols, IKE needs to establish two SAs
for each direction, requiring a total of four SAs for the connection.
IKE negotiates SAs in the following sequence:
Phase 1 IKE:
The session initiator creates a cookie and sends it to the responder, with a zero placeholder in the responder
cookie area. The responder then creates a cookie and fills in the zeros. All packets will contain these two
cookies until the Phase 1 SA expires. IKE Peer commands next establish the identity of local and remote
peers. Then IKE Proposal commands specify how packets will be encrypted and/or authenticated for the
initial exchange.
Phase 2 IKE
IKE IPSec Proposal commands specify how packets will be encrypted/authenticated for the final SA. Then
IKE IPSec Policy commands specify which packets will be encrypted/authenticated for the final SA.
IKE Commands
The Internet Key Exchange (IKE) process consists of two phases. In phase 1, a moderately secure connection is
established between the two security endpoints. This connection is used to exchange key and connection
information for the final SA, which is used to exchange user data.
You can use the following command to clear all IKE configuration information from the router.
ike flush
The other IKE commands relate to the four categories of information required to set up IKE in the router.
1. The IKE Peer commands establish the identity of the local and remote peers.
2. The IKE Proposal commands define the proposals exchanged during the Phase 1 exchange.
3. The IKE IPSec Proposal commands specify the parameters for the final SA.
4. The IKE IPSec Policy commands specify the filtering parameters for the final SA.