Table of Contents
Advertisement
3Com Router 3000 Ethernet Family
Configuration Guide
Chapter 8 IKE Configuration
8.1 IKE Overview
8.1.1 Brief Introduction to IKE
IKE (Internet Key Exchange) is Internet shared secret exchange protocol. It is a mixed
protocol, configured in a framework specified by Internet Security Association and Key
Management Protocol (ISAKMP). IKE will provide automatic negotiation and exchange
of shared key for IPSec and configure Security Association, thus to simplify IPSec
application and management.
Network security has 2 meanings: one is internal LAN security, the other is external
data exchange security. The former is implemented by means of Firewall, network
address translation (NAT) etc. Emerging IPSec (IP Security) implements the latter.
IPSec Security Association can be established by manual configuration, but when
nodes increase in the network, manual configuration will be very difficult, and hard to
ensure security. In this case, the IKE automatic negotiation can be used to establish
Security Association and exchange shared secret.
IKE has a series of self-protection mechanisms to safely distribute shared key,
authenticate identity, and establish IPSec Security Association etc. in unsecured
network.
IKE security mechanism includes:
Diffie-Hellman (DH) exchange and shared key distribution
Diffie-Hellman algorithm is a shared key algorithm. The both parties in communication
can exchange some data without transmitting shared key and find the shared key by
calculation. The pre-condition for encryption is that the both parties must have shared
key. The merit of IKE is that it never transmits shared key directly in the unsecured
network, but calculates the shared key by exchanging a series data. Even if the third
party (e.g. Hackers) captured all exchange data used to calculate shared key for both
parties, he cannot figure out the real shared key.
Perfect Forward Secrecy (PFS)
PFS feature is a security feature. When a shared key is decrypted, there will be no
impact on the security of other shared keys, because these secrets have no derivative
relations among them. IPSec is implemented by adding one key exchange during IKE
negotiation phase II.
Identity authentication
Identity authentication will authenticate identity for both parties in communication.
Authentication key can input to generate shared secret. It is impossible for different
3Com Corporation
8-1
Chapter 8 IKE Configuration
Advertisement
Chapters
Table of Contents
Troubleshooting
