Filter
Top Products
Chapter 40 More About....
More About VPN
40-22
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
–
Encryption Algorithm: DES, 3DES, or AES
–
Packet Signature Algorithm: MD5 or SHA-1
Key Exchange
IKE uses the negotiated key-exchange method (see “Session Negotiation” above)
to create enough bits of cryptographic keying material to secure future
transactions. This method ensures that each IKE session will be protected with a
new, secure set of keys.
Authentication, session negotiation, and key exchange constitute phase 1 of an
IKE negotiation.
IPSec Tunnel Negotiation and Configuration
After IKE has finished negotiating a secure method for exchanging information
(phase 1), we use IKE to negotiate an IPSec tunnel. This is accomplished in IKE
phase 2. In this exchange, IKE creates fresh keying material for the IPSec tunnel
to use (either using the IKE phase 1 keys as a base or by performing a new key
exchange). The encryption and authentication algorithms for this tunnel are also
negotiated.
More About IKE Policies
When the IKE negotiation begins, IKE looks for an IKE policy that is the same on
both peers. The peer that initiates the negotiation will send all its policies to the
remote peer, and the remote peer will try to find a match. The remote peer looks
for a match by comparing its own highest priority policy against the other peer’s
received policies. The remote peer checks each of its policies in order of its
priority (highest first) until a match is found.
A match is made when both policies from the two peers contain the same
encryption, hash, authentication, and Diffie-Hellman parameter values, and when
the remote peer’s policy specifies a lifetime less than or equal to the lifetime in
the policy being compared. If the lifetimes are not identical, the shorter
lifetime-from the remote peer’s policy will be used.