Table of Contents
Advertisement
More About VPN
Key Exchange
IPSec Tunnel Negotiation and Configuration
More About IKE Policies
Cisco Router and Security Device Manager Version 2.2 User's Guide
30-22
Encryption Algorithm: DES, 3DES, or AES
–
Packet Signature Algorithm: MD5 or SHA-1
–
IKE uses the negotiated key-exchange method (see "Session Negotiation" above)
to create enough bits of cryptographic keying material to secure future
transactions. This method ensures that each IKE session will be protected with a
new, secure set of keys.
Authentication, session negotiation, and key exchange constitute phase 1 of an
IKE negotiation.
After IKE has finished negotiating a secure method for exchanging information
(phase 1), we use IKE to negotiate an IPSec tunnel. This is accomplished in IKE
phase 2. In this exchange, IKE creates fresh keying material for the IPSec tunnel
to use (either using the IKE phase 1 keys as a base or by performing a new key
exchange). The encryption and authentication algorithms for this tunnel are also
negotiated.
When the IKE negotiation begins, IKE looks for an IKE policy that is the same on
both peers. The peer that initiates the negotiation will send all its policies to the
remote peer, and the remote peer will try to find a match. The remote peer looks
for a match by comparing its own highest priority policy against the other peer's
received policies. The remote peer checks each of its policies in order of its
priority (highest first) until a match is found.
A match is made when both policies from the two peers contain the same
encryption, hash, authentication, and Diffie-Hellman parameter values, and when
the remote peer's policy specifies a lifetime less than or equal to the lifetime in
the policy being compared. If the lifetimes are not identical, the shorter
lifetime-from the remote peer's policy will be used.
Chapter 30
More About....
OL-4015-08
Advertisement
Table of Contents
Troubleshooting
