From the preceding policy, we need to define the IKE Phase 1 policy in Table 8.2. Table 8.2. IKE Peer Policies
Selecting the Authentication MethodOur IKE (ISAKMP) D-H authentication method is defined as using preshared keys. Remember, this preshared key is used to authenticate D-H (and in turn our neighbor); it is not used as an encryption key. Other authentication methods include encrypted nonces and RSA signatures. Preshared KeysOur IKE Phase 1 policy dictates that we use preshared keys. To implement this policy on R1, we enter the following command: R1 (config)# crypto isakmp policy < priority > R1 (config-isakmp)# authentication pre-share We then need to identify the secret preshared key at which peer will also be using this key: R1(config)# crypto isakmp key cisco address 30.200.200.2 Digital CertificatesIf your IKE phase 1 policy had dictated the use of RSA signatures, we would enter the following command: R1 (config-isakmp)# authentication rsa-sig But to use RSA signatures, we would first need to create RSA keys as well as define our CA. CAs are necessary when using RSA signatures because they are the trusted third party that IPSec peers trust to sign digital certificates. Digital certificates are nothing more than certificates of trust. The CA who signs the digital certificate is certifying that the public key in the certificate, as well as all other parameters in the certificate, are indeed the property of a certain entity. We need digital certificates because they contain the public key that validates our received digital signatures. A digital signature is nothing more than a hash encrypted with a private key. Because only the partnering public key (contained in the digital certificate) can decrypt the hash, we created a measure of security that is close to absolutely secure. (Nothing is absolute in security.) If the receiver can decrypt the hash using the public key in the digital certificate he received, he is certain that he is indeed speaking with a peer who is who it claims to be. The problem is, how can we trust the public key in the digital certificate? The answer is simple; we have the digital certificate signed by a trusted third party, the CA!
|