Protocols And Standards; Ike Configuration Prerequisites; Ike Configuration Task List - HPE FlexFabric 7900 Series Security Configuration Manual
Hide thumbs
Also See for FlexFabric 7900 Series:
- Layer 3 ip routing command reference (414 pages) ,
- Security configuration manual (323 pages) ,
- Security command reference (320 pages)
Table of Contents
Advertisement
DH algorithm
The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying
material and then use the material to calculate the shared keys. Due to the decryption complexity, a
third party cannot decrypt the keys even after intercepting all keying materials.
PFS
The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm. After
PFS is enabled, an additional DH exchange is performed in IKE phase 2 to make sure IPsec keys
have no derivative relations with IKE keys and a broken key brings no threats to other keys.
Protocols and standards
•
RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP)
•
RFC 2409, The Internet Key Exchange (IKE)
•
RFC 2412, The OAKLEY Key Determination Protocol
IKE configuration prerequisites
Determine the following parameters prior to IKE configuration:
•
The algorithms to be used during IKE negotiation, including the identity authentication method,
encryption algorithm, authentication algorithm, and DH group.
Different algorithms provide different levels of protection. A stronger algorithm provides
more resistance to decryption but uses more resources.
A DH group that uses more bits provides higher security but needs more time for
processing.
•
The pre-shared key or PKI domain for IKE negotiation. For more information about PKI, see
"Configuring PKI."
•
The IKE-based IPsec policies for the communicating peers. If an IPsec policy does not
reference any IKE profile, the device selects an IKE profile for the IPsec policy. If no IKE profile
is configured, the globally configured IKE settings are used. For more information about IPsec,
see
"Configuring
IKE configuration task list
Tasks at a glance
(Optional.)
(Optional.)
(Optional.)
(Optional.)
(Optional.)
(Optional.)
(Optional.)
(Optional.)
IPsec."
Configuring an IKE profile
Configuring an IKE proposal
Configuring an IKE keychain
Configuring the global identity information
Configuring the IKE keepalive function
Configuring the IKE NAT keepalive function
Configuring IKE DPD
Enabling invalid SPI recovery
Remarks
N/A
Required when the IKE profile needs to
reference IKE proposals.
Required when pre-shared authentication is
used in IKE negotiation phase 1.
N/A
N/A
N/A
N/A
N/A
127
Advertisement
Table of Contents
Troubleshooting
