Concessions For Not Enabling Ike; Ike Policies - Cisco IOS XR Configuration Manual

Information About Implementing IKE Security Protocol Configurations for IPSec Networks
•
•
•
•
IKE interoperates with the X.509v3 certificates standard. It is used with the IKE protocol when
authentication requires public keys. This certificate support allows the protected network to scale by
providing the equivalent of a digital ID card to each device. When two devices want to communicate,
they exchange digital certificates to prove their identity; thus, removing the need to manually exchange
public keys with each peer or to manually specify a shared key at each peer.

Concessions for Not Enabling IKE

IKE is disabled by default in Cisco IOS XR software. If you do not enable IKE, you must make these
concessions at the peers:
•
•
•
•
•

IKE Policies

You must create IKE policies at each peer. An IKE policy defines a combination of security parameters
to be used during the IKE negotiation.
Before you create and configure IKE policies you should understand the following concepts:
•
•
•
•
•
•
Cisco IOS XR System Security Configuration Guide
SC-22
Diffie-Hellman—A public-key cryptography protocol that allows two parties to establish a shared
secret over an unsecure communications channel. Diffie-Hellman is used within IKE to establish
session keys. 768-bit, 1024-bit, and 1536-bit Diffie-Hellman groups are supported.
MD5 (HMAC variant)—Message Digest 5. A hash algorithm used to authenticate packet data.
HMAC is a variant that provides an additional level of hashing.
SHA (HMAC variant)—Secure Hash Algorithm. A hash algorithm used to authenticate packet data.
HMAC is a variant that provides an additional level of hashing.
RSA signatures and RSA encrypted nonces—RSA is the public key cryptographic system developed
by Ron Rivest, Adi Shamir, and Leonard Adelman. RSA signatures provide nonrepudiation, and
RSA encrypted nonces provide repudiation. (Repudiation and nonrepudiation are associated with
traceability.)
You must manually specify all IPSec security associations in the crypto profiles at all peers. (Crypto
profile configuration is described in the module Implementing IPSec Network Security on
Cisco IOS XR Software.)
The IPSec security associations of the peers never time out for a given IPSec session.
During IPSec sessions between the peers, the encryption keys never change.
Antireplay services are not available between the peers.
Certification authority (CA) support cannot be used.
IKE Policy Creation, page SC-23
Definition of Policy Parameters, page SC-23
IKE Peer Agreement for Matching Policies, page SC-23
Value Selection for Parameters, page SC-24
Policy Creation, page SC-25
Additional Configuration Required for IKE Policies, page SC-25
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software