IKE Phase 1 Policy Parameters

Cisco.com

ParaiTKtcr

Strong

Slrangcf

Encryption Algorithm

OES

iOES

H35h Algorithm

IBM

AulhSliWCStion MrtlKirt

PWlldft

ftSA tiurymlan R3A Siijiuîruré

Key Exchange

Q-H (JftfgD 1

D-h ÜIUL!^1 1

IKE SA LifEt'mfi

flri-iGU fier.nruls

© 2004 Cisco Systems, Inc. All rights reserved. bcran v2.1—5-4

An IKE policy defines a combination of security parameters that are used during the IKE negotiation. A group of policies make up a "protection suite" of multiple policies that enable IPSec peers to establish IKE sessions and establish SAs with a minimal configuration. The figure shows an example of possible combinations of IKE parameters to form either a strong or a stronger policy suite.

Create IKE Policies for a Purpose

Because IKE negotiations must be protected, each IKE negotiation begins with each peer agreeing on a common (shared) IKE policy. This policy states which security parameters will be used to protect subsequent IKE negotiations.

After the two peers agree upon a policy, an SA established at each peer identifies the security parameters of the policy. These SAs apply to all subsequent IKE traffic during the negotiation.

You can create multiple, prioritized policies at each peer to ensure that at least one policy will match a remote peer policy.

Define IKE Policy Parameters

You can select specific values for each IKE parameter, according to the IKE standard. You select one value over another based on the security level you want and the type of IPSec peer to which you will connect.

There are five parameters to define in each IKE policy, as shown in the figure and in the table here. The figure shows the relative strength of each parameter. The table shows the default values.

IKE Policy Parameters

Parameter

Accepted Values

Keyword

Default

Message encryption algorithm

DES 3DES

des 3des

56-bit DES-CBC

Message integrity (hash) algorithm

SHA-1 (HMAC variant) MD5 (HMAC variant)

sha md5

SHA-1

Peer authentication method

Preshared keys RSA encrypted nonces RSA signatures

pre-share rsa-encr rsa-sig

RSA signatures

Key exchange parameters (Diffie-Hellman group identifier)

768-bit Diffie-Hellman or

1024-bit Diffie-Hellman

1 2

768-bit Diffie-Hellman

ISAKMP-established security association lifetime

Can specify any number of seconds

86,400 sec (one day)

You can select specific values for each ISAKMP parameter per the ISAKMP standard. You select one value over another based on the security level you want and the type of IPSec peer to which you will connect. There are five parameters to define in each IKE policy as presented in the table here. The table shows the relative strength of each parameter.

Parameter

Strong

Stronger

Message encryption algorithm

DES

3DES

Message integrity (hash) algorithm

MD5

SHA-1

Peer authentication method

Preshare

RSA encryption RSA signature

Key exchange parameters (Diffie-Hellman group identifier)

D-H Group 1

D-H Group 2

ISAKMP-established security association lifetime

se,400 sec

<86,400 sec

You should determine IKE policy details for each peer before configuring IKE. The figure shows a summary of IKE policy details that will be configured in examples and later, in labs for this lesson. The authentication method of preshared keys is also covered in this lesson.

0 0

Post a comment