To use dynamic SAs, you must configure IKE. To define global IKE properties, which apply to all IKE proposals, include one or more of the following statements: [edit security ike] authentication-algorithm (md5 sha1); authentication-method pre-shared-keys; dh-group (group1 group2); encryption-algorithm (3des-cbc des-cbc); lifetime-seconds seconds; To define proposal-specific properties, include one or more of the following statements: [edit security ike proposal ike-proposal-name ] authentication-algorithm (md5 sha1); authentication-method pre-shared-keys; dh-group (group1 group2); encryption-algorithm (3des-cbc des-cbc); lifetime-seconds seconds; You can configure one or more IKE proposals. Each proposal is a list of IKE attributes to protect the IKE connection between the IKE host and its peer. To configure an IKE proposal, include the proposal statement: [edit security ike] proposal ike-proposal-name; To configure an IKE authentication algorithm, include the authentication-algorithm statement: authentication-algorithm (md5 sha1); The authentication algorithm can be one of the following:
To configure an IKE authentication method, include the authentication-method statement and specify pre-shared-keys . authentication-method pre-shared-keys; Diffie-Hellman is a public-key cryptography scheme that allows two parties to establish a shared secret over an insecure communications channel. It is also used within IKE to establish session keys. To configure an IKE Diffie-Hellman group, include the dh-group statement: dh-group (group1 group2); The group can be one of the following:
To configure an IKE encryption algorithm, include the encryption-algorithm statement: encryption-algorithm (3des-cbc des-cbc); The encryption algorithm can be one of the following:
An IKE SA has a lifetime. When the SA expires , it is replaced by a new SA (and SPI) or terminated . To configure IKE lifetime, include the lifetime-seconds statement and specify the number of seconds (180 through 4,294,967,295); lifetime-seconds seconds; An IKE policy defines a combination of security parameters (IKE proposals) to be used during IKE negotiation. It defines a peer address, the preshared key for the given peer, and the proposals needed for that connection. During the IKE negotiation, IKE looks for an IKE policy that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match. A match is made when both policies from the two peers have a proposal that contains the same configured attributes. If the lifetimes are not identical, the shorter lifetime between the two policies (from the host and peer) is used. The configured preshared key must also match its peer. You can create multiple, prioritized proposals at each peer to ensure that at least one proposal will match a remote peer's proposal. First, you configure one or more IKE proposals; then you associate these proposals with an IKE policy. You can also prioritize a list of proposals used by IKE in the policy statement by listing the proposals you want to use, from first to last. To configure an IKE policy, include the policy statement. The IKE policy peer address must be an IPSec tunnel destination address. [edit security ike] policy ike-peer-address [ ike-proposal ]; IKE policy has two modes: aggressive and main. By default, main mode is enabled. Main mode uses six messages, in three exchanges, to establish the IKE SA. (These three steps are IKE SA negotiation, a Diffie-Hellman exchange, and authentication of the peer.) Main mode also allows a peer to hide its identity. Aggressive mode also establishes an authenticated IKE SA and keys. However, aggressive mode uses half the number of messages, has less negotiation power, and does not provide identity protection. The peer can use the aggressive or main mode to start IKE negotiation; the remote peer accepts the mode sent by the peer. To configure IKE policy mode, include the mode statement: [edit security ike policy ike-peer-address ] mode (aggressive main); The IKE policy proposal is a list of one or more proposals associated with an IKE policy. To configure an IKE policy proposal, include the proposal statement: [edit security ike policy ike-peer-address] proposal [ ike-proposal-names ]; IKE policy preshared keys authenticate peers. You must manually configure a preshared key, which must match that of its peer. The preshared key can be an ASCII text ( alphanumeric ) key or a hexadecimal key. To configure an IKE policy preshared key, include the pre-shared-key statement: [edit security ike policy ike-peer-address ] pre-shared-key (ascii-text key hexadecimal key ); |