Isakmp Identity; Isakmp Profile Overview - Cisco IOS XR Configuration Manual

Information About Implementing IKE Security Protocol Configurations for IPSec Networks
•
If RSA encryption is configured and signature mode is negotiated (and certificates are used for signature
mode), the peer requests both signature and encryption keys. Basically, the router requests as many keys
as the configuration supports. If RSA encryption is not configured, it just requests a signature key.

ISAKMP Identity

You should set the ISAKMP identity for each peer that uses preshared keys in an IKE policy.
When two peers use IKE to establish IPSec security associations, each peer sends its identity to the
remote peer. Each peer sends either its hostname or its IP address, depending on how you have set the
ISAKMP identity of the router.
By default, the ISAKMP identity of a peer is the IP address of the peer. If appropriate, you could change
the identity to be the peer's hostname instead. As a general rule, set the identities of all peers the same
way—either all peers should use their IP addresses or all peers should use their host names. If some peers
use their host names and some peers use their IP addresses to identify themselves to each other, IKE
negotiations could fail if the identity of a remote peer is not recognized and a domain name server (DNS)
lookup is unable to resolve the identity.

ISAKMP Profile Overview

The ISAKMP profile is an enhancement to Internet Security Association and Key Management Protocol
(ISAKMP) configurations. It enables modularity of ISAKMP configuration for phase 1 negotiations.
This modularity allows mapping different ISAKMP parameters to different IP Security (IPSec) tunnels,
and mapping different IPSec tunnels to different VPN forwarding and routing (VRF) instances.
Currently, many applications and enhancements use the ISAKMP profile, including quality of service
(QoS), router certificate management, and Multiprotocol Label Switching (MPLS) VPN configurations.
An ISAKMP profile is a repository for IKE Phase 1 and IKE Phase 1.5 configuration for a set of peers.
An ISAKMP profile applies parameters to an incoming IPSec connection identified uniquely through its
concept of match identity criteria. These criteria are based on the IKE identity that is presented by
incoming IKE connections and includes IP address, fully qualified domain name (FQDN), and group
(the Virtual Private Network [VPN] remote client grouping). The granularity of the match identity
Cisco IOS XR System Security Configuration Guide
SC-26
Unlike RSA signatures, the RSA encrypted nonces method cannot use certificates to exchange
public keys. Instead, you ensure that each peer has the others' public keys by one of the following
methods:
Manually configuring RSA keys, as described in the
–
on page 44.
Ensuring that an IKE exchange using RSA signatures with certificates has already occurred
–
between the peers. (The peers' public keys are exchanged during the RSA-signatures-based IKE
negotiations if certificates are used.)
To make this happen, specify two policies: a higher-priority policy with RSA encrypted nonces
and a lower-priority policy with RSA signatures. When IKE negotiations occur, RSA signatures
are used the first time because the peers do not yet have each other's public keys. Then future
IKE negotiations are able to use RSA encrypted nonces because the public keys will have been
exchanged.
This alternative requires that you have certification authority support configured.
Preshared keys authentication method. If you specify preshared keys as the authentication method
in a policy, you must configure these preshared keys as described in the
Preshared Keys in ISAKMP Keyrings" section on page
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software
"Manually Configuring RSA Keys" section
48.
"Configuring ISAKMP