Configuring IKE

Previous page
Table of content
Next page

To use dynamic SAs, you must configure IKE. To define global IKE properties, which apply to all IKE proposals, include one or more of the following statements: 

 [edit security ike]  authentication-algorithm (md5  sha1); authentication-method pre-shared-keys; dh-group (group1  group2); encryption-algorithm (3des-cbc  des-cbc); lifetime-seconds  seconds;

To define proposal-specific properties, include one or more of the following statements: 

 [edit security ike  proposal ike-proposal-name  ]  authentication-algorithm (md5  sha1); authentication-method pre-shared-keys; dh-group (group1  group2); encryption-algorithm (3des-cbc  des-cbc); lifetime-seconds  seconds;

You can configure one or more IKE proposals. Each proposal is a list of IKE attributes to protect the IKE connection between the IKE host and its peer. To configure an IKE proposal, include the proposal statement: 

 [edit security ike]  proposal  ike-proposal-name;

To configure an IKE authentication algorithm, include the authentication-algorithm statement: 

 authentication-algorithm (md5  sha1);

The authentication algorithm can be one of the following:

  • md5 ” Produces a 128-bit digest

  • sha1 ” Produces a 160-bit digest

To configure an IKE authentication method, include the authentication-method statement and specify pre-shared-keys . 

 authentication-method pre-shared-keys;

Diffie-Hellman is a public-key cryptography scheme that allows two parties to establish a shared secret over an insecure communications channel. It is also used within IKE to establish session keys. To configure an IKE Diffie-Hellman group, include the dh-group statement: 

 dh-group (group1  group2);

The group can be one of the following:

  • group1 ” IKE uses the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.

  • group2 ” IKE uses the 1,024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange. group2 provides more security but requires more processing time.

To configure an IKE encryption algorithm, include the encryption-algorithm statement: 

 encryption-algorithm (3des-cbc  des-cbc);

The encryption algorithm can be one of the following:

  • 3des-cbc ” Block size is 24 bytes, and key length is 192 bits

  • des-cbc ” Block size is 8 bytes, and key length is 48 bits

An IKE SA has a lifetime. When the SA expires , it is replaced by a new SA (and SPI) or terminated . To configure IKE lifetime, include the lifetime-seconds statement and specify the number of seconds (180 through 4,294,967,295); 

 lifetime-seconds  seconds;

An IKE policy defines a combination of security parameters (IKE proposals) to be used during IKE negotiation. It defines a peer address, the preshared key for the given peer, and the proposals needed for that connection. During the IKE negotiation, IKE looks for an IKE policy that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match.

A match is made when both policies from the two peers have a proposal that contains the same configured attributes. If the lifetimes are not identical, the shorter lifetime between the two policies (from the host and peer) is used. The configured preshared key must also match its peer.

You can create multiple, prioritized proposals at each peer to ensure that at least one proposal will match a remote peer's proposal. First, you configure one or more IKE proposals; then you associate these proposals with an IKE policy. You can also prioritize a list of proposals used by IKE in the policy statement by listing the proposals you want to use, from first to last.

To configure an IKE policy, include the policy statement. The IKE policy peer address must be an IPSec tunnel destination address. 

 [edit security ike]  policy ike-peer-address [ ike-proposal ];

IKE policy has two modes: aggressive and main. By default, main mode is enabled. Main mode uses six messages, in three exchanges, to establish the IKE SA. (These three steps are IKE SA negotiation, a Diffie-Hellman exchange, and authentication of the peer.) Main mode also allows a peer to hide its identity. Aggressive mode also establishes an authenticated IKE SA and keys. However, aggressive mode uses half the number of messages, has less negotiation power, and does not provide identity protection. The peer can use the aggressive or main mode to start IKE negotiation; the remote peer accepts the mode sent by the peer. To configure IKE policy mode, include the mode statement: 

 [edit security ike policy  ike-peer-address  ]  mode (aggressive  main);

The IKE policy proposal is a list of one or more proposals associated with an IKE policy. To configure an IKE policy proposal, include the proposal statement: 

 [edit security ike policy ike-peer-address]  proposal [ ike-proposal-names ];

IKE policy preshared keys authenticate peers. You must manually configure a preshared key, which must match that of its peer. The preshared key can be an ASCII text ( alphanumeric ) key or a hexadecimal key. To configure an IKE policy preshared key, include the pre-shared-key statement: 

 [edit security ike policy  ike-peer-address  ]  pre-shared-key (ascii-text  key  hexadecimal  key  );

Previous page
Table of content
Next page
Juniper Networks Field Guide and Reference
Juniper Networks Field Guide and Reference
ISBN: 0321122445
EAN: 2147483647
Year: 2002
Pages: 185
Authors: Aviva Garrett, Gary Drenan, Cris Morris, Juniperu00ae Networks
BUY ON AMAZON
Managing Enterprise Systems with the Windows Script Host
Cisco Voice Gateways and Gatekeepers
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
PMP Practice Questions Exam Cram 2
Junos Cookbook (Cookbooks (OReilly))
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy