Concessions For Not Enabling Ike; Ike Policies - Cisco CRS-1 - Carrier Routing System Router Configuration Manual

Information About Implementing IKE Security Protocol Configurations for IPSec Networks
•
•
IKE interoperates with the X.509v3 certificates standard. It is used with the IKE protocol when
authentication requires public keys. This certificate support allows the protected network to scale by
providing the equivalent of a digital ID card to each device. When two devices want to communicate,
they exchange digital certificates to prove their identity; thus, removing the need to manually exchange
public keys with each peer or to manually specify a shared key at each peer.

Concessions for Not Enabling IKE

IKE is disabled by default in Cisco IOS XR software. If you do not enable IKE, you must make these
concessions at the peers:
•
•
•
•
•

IKE Policies

You must create IKE policies at each peer. An IKE policy defines a combination of security parameters
to be used during the IKE negotiation.
Before you create and configure IKE policies you should understand the following concepts:
•
•
•
•
•
•
•
IKE Policy Creation
IKE negotiations must be protected, so each IKE negotiation begins by agreement of both peers on a
common (shared) IKE policy. This policy states which security parameters will be used to protect
subsequent IKE negotiations and mandates how the peers are authenticated.
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
SC-108
SHA (HMAC variant)—Secure Hash Algorithm. A hash algorithm used to authenticate packet
data. HMAC is a variant that provides an additional level of hashing.
RSA signatures and RSA encrypted nonces—RSA is the public key cryptographic system
developed by Ron Rivest, Adi Shamir, and Leonard Adelman. RSA signatures provide
nonrepudiation, and RSA encrypted nonces provide repudiation. (Repudiation and nonrepudiation
are associated with traceability.)
You must manually specify all IPSec security associations in the crypto profiles at all peers. (Crypto
profile configuration is described in the module Implementing IPSec Network Security on
Cisco IOS XR Software in System Security Configuration Guide.)
The IPSec security associations of the peers never time out for a given IPSec session.
During IPSec sessions between the peers, the encryption keys never change.
Anti-replay services are not available between the peers.
Certification authority (CA) support cannot be used.
IKE Policy Creation, page 108
Definition of Policy Parameters, page 109
IKE Peer Agreement for Matching Policies, page 109
Limitation of an IKE Peer to a Specific Set of Policies, page 110
Value Selection for Parameters, page 110
Policy Creation, page 111
Additional Configuration Required for IKE Policies, page 112
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software
OL-20382-01