Isakmp Identity - Cisco CRS-1 - Carrier Routing System Router Configuration Manual

Information About Implementing IKE Security Protocol Configurations for IPSec Networks
If you do not configure any policies, your router uses the default policy, which is always set to the lowest
priority and contains the default value of each parameter.
Additional Configuration Required for IKE Policies
Depending on the authentication method you specify in your IKE policies, you must perform certain
additional configuration tasks before IKE and IPSec can successfully use the IKE policies.
Each authentication method requires additional companion configuration as follows:
•
•
•
If RSA encryption is configured and signature mode is negotiated (and certificates are used for signature
mode), the peer requests both signature and encryption keys. Basically, the router requests as many keys
as the configuration supports. If RSA encryption is not configured, it just requests a signature key.

ISAKMP Identity

You should set the ISAKMP identity for each peer that uses preshared keys in an IKE policy.
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
SC-112
RSA signatures method. If you specify RSA signatures as the authentication method in a policy, you
may configure the peers to obtain certificates from a CA. (The CA must be properly configured to
issue the certificates.) Configure this certificate support as described in the module "Implementing
Certification Authority Interoperability."
The certificates are used by each peer to exchange public keys securely. (RSA signatures require that
each peer has the public signature key of the remote peer.) When both peers have valid certificates,
they automatically exchange public keys with each other as part of any IKE negotiation in which
RSA signatures are used.
You may also want to exchange the public keys manually, as described in the
RSA Keys" section on page
RSA encrypted nonces method. If you specify RSA encrypted nonces as the authentication method
in a policy, you must ensure that each peer has the public keys of the other peers.
Unlike RSA signatures, the RSA encrypted nonces method cannot use certificates to exchange
public keys. Instead, you ensure that each peer has the others' public keys by one of the following
methods:
Manually configuring RSA keys, as described in the
–
on page 121.
Ensuring that an IKE exchange using RSA signatures with certificates has already occurred
–
between the peers. (The peers' public keys are exchanged during the RSA-signatures-based IKE
negotiations if certificates are used.)
To make this happen, specify two policies: a higher-priority policy with RSA encrypted nonces
and a lower-priority policy with RSA signatures. When IKE negotiations occur, RSA signatures
are used the first time because the peers do not yet have each other's public keys. Then future
IKE negotiations are able to use RSA encrypted nonces because the public keys will have been
exchanged.
This alternative requires that you have certification authority support configured.
Preshared keys authentication method. If you specify preshared keys as the authentication method
in a policy, you must configure these preshared keys as described in the
Preshared Keys in ISAKMP Keyrings" section on page
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software
121.
"Manually Configuring
"Manually Configuring RSA Keys" section
"Configuring ISAKMP
128.
OL-20382-01