Setting up Authentication
Creating an IKEv2 Proposal
1. Enter IKEv2 proposal mode.
2. Set the DES encryption algorithm.
3. Set the authentication integrity algorithm type.
4. Set the Diffie‐Hellman group.
342
NE2552E Application Guide for ENOS 8.4
Before you can use IPsec, you need to have key policy authentication in place.
There are two types of key policy authentication:
Preshared key (default)
The parties agree on a shared, secret key that is used for authentication in an
IPsec policy. During security negotiation, information is encrypted before
transmission by using a session key created by using a Diffie‐Hellman
calculation and the shared, secret key. Information is decrypted on the receiving
end using the same key. One IPsec peer authenticates the other peerʹs packet by
decryption and verification of the hash inside the packet (the hash inside the
packet is a hash of the preshared key). If authentication fails, the packet is
discarded.
Digital certificate (using RSA algorithms)
The peer being validated must hold a digital certificate signed by a trusted
Certificate Authority and the private key for that digital certificate. The side
performing the authentication only needs a copy of the trusted certificate
authorities digital certificate. During IKEv2 authentication, the side being
validated sends a copy of the digital certificate and a hash value signed using the
private key. The certificate can be either generated or imported.
Note: During the IKEv2 negotiation phase, the digital certificate takes precedence
over the preshared key.
With IKEv2, a single policy can have multiple encryption and authentication types,
as well as multiple integrity algorithms.
To create an IKEv2 proposal:
NE2552E(config)# ikev2 proposal
NE2552E(config-ikev2-prop)# encryption aes-cbc
NE2552E(config-ikev2-prop)# integrity sha1
NE2552E(config-ikev2-prop)# group 24