Internet Key Exchange Mode Configuration - Cisco IOS XR Configuration Manual

Information About Implementing IKE Security Protocol Configurations for IPSec Networks
Configuring preshared keys using an authentication, authorization, and accounting (AAA) server allows
each user to have his or her own key, which is stored on an external AAA server. This allows for central
management of the user database, linking it to an existing AAA database, in addition to allowing every
user to have a unique, more secure preshared key.
To configure this feature, you must perform the following tasks at each peer:
•
•
•
•
For information on configuring crypto ISAKMP profiles, including enabling an IPSec peer for preshared
keys using an AAA server, see both the
"Configuring the ISAKMP Profile for Locally Sourced and Destined Traffic" section on page
Preshared keys using an AAA server have the following restrictions:
•
•

Internet Key Exchange Mode Configuration

IKE mode configuration, as defined by the Internet Engineering Task Force (IETF), allows a gateway to
download an IP address (and other network level configuration) to the client as part of an IKE
negotiation. Using this exchange, the gateway gives IP addresses to the IKE client to be used as an
"inner" IP address encapsulated under IPSec. This method provides a known IP address for the client
that can be matched against IPSec policy.
To implement the Cisco IPSec VPN SPAs between remote access clients that have dynamic IP addresses
and a corporate gateway, you have to dynamically administer scalable IPSec policy on the gateway once
each client is authenticated. With IKE mode configuration, the gateway can set up scalable policy for a
very large set of clients irrespective of the IP addresses of those clients.
The client initiation type of IKE mode configuration is supported. The client initiates the configuration
mode with the gateway. The gateway responds with an IP address that it has allocated for the client.
Mode configuration must be applied to a crypto ISAKMP profile to be enforced.
For instructions on how to apply mode configuration to a crypto ISAKMP profile, see the
Group Policy Information for Mode Configuration" section on page
Interfaces with crypto ISAKMP profiles, which are configured for IKE mode configuration, may
experience a slightly longer connection setup time. This longer setup time is true even for IKE peers that
refuse to be configured or do not respond to the configuration mode request. In both cases, the gateway
initiates the configuration of the client.
Cisco IOS XR System Security Configuration Guide
SC-28
Configure AAA.
Configure a dynamic crypto ISAKMP profile.
Configure extended authentication (optional)
Configure ISAKMP policy.
The shared secret can be accessed only in aggressive mode. The ID of the IKE exchange is used as
the username to query AAA if no local key can be found on the Cisco IOS XR router to which the
user is trying to connect. Aggressive mode provides the ID in the first part of the IKE exchange;
main mode does not provide the ID until the latter part of the IKE exchange, which is too late for
key lookup.
Only the following ID types can be used:
IPv4 address (can be different from the one assigned by the Internet service provider [ISP])
–
FQDN (fully qualified domain name)
–
E-mail address
–
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software
"Configuring Crypto Keyrings" section on page 54 and the
58.
"Defining
36.