Ericsson HL950 Administrator's Manual page 81

Multi service edge device

Hide thumbs Also See for HL950:

Quick installation manual (20 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

Table of Contents

Main mode (MAIN)

This mode establishes a secure channel before sending a user identity, meaning that an IKE

SA is secured in three two-way exchanges between the initiator and the responder;

o Both agree on basic algorithms and hashes.

o Both exchange Diffie-Hellman public keys and pass nonces.

o Both parties exchange certificates and verify each other's identity. This exchange is

already encrypted.

Aggressive mode (AGGR)

Unlike Main mode, this mode does not protect identities because it establishes the secure

channel after the information has been exchanged;

o The initiator generates a Diffie-Hellman public value, sending it with the nonce and

the certificate, which the responder can check with a third party.

o The responder sends its own Diffie-Hellman value and certificate.

o The initiator confirms the exchange.

You also have to set the response type that can be either both directions, Initiator only or Responder

only.

For detailed information about prefixes and parameters for the SECURITY IKE command, see section

6.6.6.

4.6.3.2.1

Typical IKE Examples

The following gives some examples of IKE configuration.

Example 1:

Both SG's are initiators and responders to IKE requests

The key exchange mode is aggressive

Perfect forward secrecy is not set and the user provides the key

The lifetime is specified in seconds

DATA 1>add security ike name=BA1DMNOPKEY1, type=both, mode=aggr, lidt=ipv4,

ridt=ipv4, etyp=des, atyp=md5, pfs=false,

lsgw=10.0.1.10, lidd=10.0.1.10, ridd=10.0.1.11, rsgw=10.0.1.11, amode=pkey,

lift=99999, pkey=qwertyuiopasdfgh

DATA 2>add sec ike name=BA1DMNOPKEY1, type=both, mode=aggr, lidt=ipv4,

ridt=ipv4, etyp=des, atyp=md5, pfs=false,

lsgw=10.0.1.10, lidd=10.0.1.10, ridd=10.0.1.11, rsgw=10.0.1.11, amode=pkey,

lift=99999, pkey=qwertyuiopasdfgh

Example 2:

The two SG's are set up for with DATA1 for initializing IKE requests and DATA2 for

responding to requests

Perfect forward secrecy is enabled with modp768

The authentication mode uses an RSA certificate

NOTE!

The Authentication mode (AMODE) settings of RSA and DSS will not work until the user

adds corresponding certificates.

Page 81 (159)

Multi Service Edge Device HL950

Administrator's Guide

EN/LZT 108 5995 R3

June 2003

Table of Contents

This manual is also suitable for:

Zat 759 63/a101 Zat 759 63/a2011 Zat 759 63/a2012 Zat 759 63/a301

Ericsson HL950 Administrator's Manual page 81

Related Manuals for Ericsson HL950

Related Products for Ericsson HL950

This manual is also suitable for:

Table of Contents