Configuring Ikev2; Overview; Ikev2 Negotiation Process - HPE FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Security command reference (881 pages) ,
- Network management and monitoring command reference (423 pages) ,
- Configuration manual (407 pages)
Table of Contents
Advertisement
Configuring IKEv2
Overview
Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1,
IKEv2 has a set of self-protection mechanisms and can be used on insecure networks for reliable
identity authentication, key distribution, and IPsec SA negotiation. IKEv2 provides stronger
protection against attacks and higher key exchange ability and needs fewer message exchanges
than IKEv1.
IKEv2 negotiation process
Compared with IKEv1, IKEv2 simplifies the negotiation process and is much more efficient.
IKEv2 defines three types of exchanges: initial exchanges, CREATE_CHILD_SA exchange, and
INFORMATIONAL exchange.
As shown in
IKE_SA_INIT and IKE_AUTH, each with two messages.
•
IKE_SA_INIT exchange—Negotiates IKE SA parameters and exchanges keys.
•
IKE_AUTH exchange—Authenticates the identity of the peer and establishes IPsec SAs.
After the four-message initial exchanges, IKEv2 sets up one IKE SA and one pair of IPsec SAs. For
IKEv1 to set up one IKE SA and one pair of IPsec SAs, it must go through two phases that use a
minimum of six messages.
To set up one more pair of IPsec SAs within the IKE SA, IKEv2 goes on to perform an additional
two-message exchange—the CREATE_CHILD_SA exchange. One CREATE_CHILD_SA exchange
creates one pair of IPsec SAs. IKEv2 also uses the CREATE_CHILD_SA exchange to rekey IKE
SAs and Child SAs.
IKEv2 uses the INFORMATIONAL exchange to convey control messages about errors and
notifications.
Figure 101 IKEv2 Initial exchange process
SA exchange
Key exchange
ID exchange and
authentication
IPsec SA setup
Figure
101, IKEv2 uses two exchanges during the initial exchange process:
Peer 1
Send the local
IKE policy and
key info
Confirmed policy and
key information
Receive the
policy and
generate the key
Responder's identity,
authentication data, and
IPsec transform sets
Perform ID and exchange
authentication and
negotiate IPsec SAs
'
Initiator
s policy and key
information
Search for a
matched policy
and generate
Initiator's identity,
authentication data, and
IPsec transform sets
Perform ID and exchange
authentication and
negotiate IPsec SAs
380
Peer 2
Negotiate algorithms
Generate the key
the key
Authenticate the identity
Negotiate IPsec SAs
Advertisement
Table of Contents
Troubleshooting
