Defining IKE Phase 1 Policy


From the preceding policy, we need to define the IKE Phase 1 policy in Table 8.2.

Table 8.2. IKE Peer Policies

Policy

R1 Configuration

R2 Configuration

Preshared key

cisco

cisco

Encryption algorithm

DES

DES

Hash algorithm

SHA-1

SHA-1

D-H group

Group 1

Group 1

Phase 1 lifetime

12 hours

12 hours

Selecting the Authentication Method

Our IKE (ISAKMP) D-H authentication method is defined as using preshared keys. Remember, this preshared key is used to authenticate D-H (and in turn our neighbor); it is not used as an encryption key. Other authentication methods include encrypted nonces and RSA signatures.

Preshared Keys

Our IKE Phase 1 policy dictates that we use preshared keys. To implement this policy on R1, we enter the following command:

 
 R1 (config)# crypto isakmp policy <  priority  > R1 (config-isakmp)# authentication pre-share 

We then need to identify the secret preshared key at which peer will also be using this key:

 
 R1(config)# crypto isakmp key cisco address 30.200.200.2 
Digital Certificates

If your IKE phase 1 policy had dictated the use of RSA signatures, we would enter the following command:

 
 R1 (config-isakmp)# authentication rsa-sig 

But to use RSA signatures, we would first need to create RSA keys as well as define our CA. CAs are necessary when using RSA signatures because they are the trusted third party that IPSec peers trust to sign digital certificates.

Digital certificates are nothing more than certificates of trust. The CA who signs the digital certificate is certifying that the public key in the certificate, as well as all other parameters in the certificate, are indeed the property of a certain entity.

We need digital certificates because they contain the public key that validates our received digital signatures. A digital signature is nothing more than a hash encrypted with a private key. Because only the partnering public key (contained in the digital certificate) can decrypt the hash, we created a measure of security that is close to absolutely secure. (Nothing is absolute in security.) If the receiver can decrypt the hash using the public key in the digital certificate he received, he is certain that he is indeed speaking with a peer who is who it claims to be.

The problem is, how can we trust the public key in the digital certificate? The answer is simple; we have the digital certificate signed by a trusted third party, the CA!

graphics/alert_icon.gif

SHA-1 is stronger than MD5.


graphics/alert_icon.gif

3DES is stronger than DES.


graphics/alert_icon.gif

RSA signatures are stronger than preshared keys.




CCSP SECUR Exam Cram 2
CCSP SECUR Exam Cram 2 (642-501)
ISBN: B000MU86IQ
EAN: N/A
Year: 2003
Pages: 291
Authors: Raman Sud

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net