Relationship between IKE and IPsec
Figure 117 Relationship between IKE and IPsec
Figure 1 17
illustrates the relationship between IKE and IPsec:
IKE is an application layer protocol using UDP and functions as the signaling protocol of IPsec.
•
IKE negotiates SAs for IPsec and delivers negotiated parameters and generated keys to IPsec.
•
IPsec uses the SAs set up through IKE negotiation for encryption and authentication of IP packets.
•
Protocols and standards
RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP)
•
RFC 2409, The Internet Key Exchange (IKE)
•
•
RFC 2412, The OAKLEY Key Determination Protocol
FIPS compliance
In Release 1208 and later versions, the device supports the FIPS mode that complies with NIST FIPS 140-2
requirements. For more information about FIPS mode, see
IKE configuration task list
Prior to IKE configuration, you must determine the following parameters:
•
The strength of the algorithms for IKE negotiation (the security protection level), including the
identity authentication method, encryption algorithm, authentication algorithm, and DH group.
Different algorithms provide different levels of protection. A stronger algorithm means more resistant
to decryption of protected data but requires more resources. Generally, the longer the key, the
stronger the algorithm.
The pre-shared key or the PKI domain the certificate belongs to.
•
Complete the following tasks to configure IKE:
Task
Configuring a name for the local security gateway
"Configuring
Remarks
Optional.
317
FIPS."