Configuring Ike; Overview; Ike Negotiation Process - HPE FlexNetwork 5510 HI Series Security Configuration Manual

Configuring IKE

Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1.
The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN
interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by
using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide).

Overview

Built on a framework defined by ISAKMP, Internet Key Exchange (IKE) provides automatic key
negotiation and SA establishment services for IPsec.
IKE provides the following benefits for IPsec:
•
Automatically negotiates IPsec parameters.
•
Performs DH exchanges to calculate shared keys, making sure each SA has a key that is
independent of other keys.
•
Automatically negotiates SAs when the sequence number in the AH or ESP header overflows,
making sure IPsec can provide the anti-replay service by using the sequence number.
As shown in
the SAs to protect IP packets.
Figure 89 Relationship between IKE and IPsec
Device A
TCP/UDP

IKE negotiation process

IKE negotiates keys and SAs for IPsec in two phases:
1. Phase 1—The two peers establish an IKE SA, a secure, authenticated channel for
communication. In this phase, two modes are available: main mode and aggressive mode.
2. Phase 2—Using the IKE SA established in phase 1, the two peers negotiate to establish IPsec
SAs.
Figure 89, IKE negotiates SAs for IPsec and transfers the SAs to IPsec, and IPsec uses
SA negotiation
IKE
SA
IPsec
Protected IP packets
IKE
Device B
SA
TCP/UDP
IPsec
290