Ike Theory
Ike Theory
Protocol
This chapter describes how to configure the Internet Key Exchange (IKE) protocol. IKE is a key
management protocol standard that is used in conjunction with the IPSec standard. IPSec is an IP
security feature that provides robust authentication and encryption of IP packets.
IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features,
flexibility, and ease of configuration for the IPSec standard.
IKE is a hybrid protocol that implements the Oakley key exchange and the Skeme key exchange inside
the Internet Security Association and Key Management Protocol (ISAKMP) framework. (ISAKMP,
Oakley, and Skeme are security protocols implemented by IKE.)
For a complete description of the IKE commands used in this chapter, refer to the “Internet Key
Exchange Security Protocol Commands” chapter in the Cisco IOS Security Command Reference. To
locate documentation of other commands that appear in this chapter, use the command reference master
index or search online.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the chapter “Using Cisco IOS Software.”
In This Chapter
This chapter includes the following sections:
• About IKE
• IKE Configuration Task List
• What To Do Next
• IKE Configuration Examples
About IKE
IKE automatically negotiates IPSec security associations (SAs) and enables IPSec secure
communications without costly manual preconfiguration. Specifically, IKE provides these benefits:
• Eliminates the need to manually specify all the IPSec security parameters in the crypto maps at both
peers.
• Allows you to specify a lifetime for the IPSec security association.
• Allows encryption keys to change during IPSec sessions.
• Allows IPSec to provide anti-replay services.
• Permits certification authority (CA) support for a manageable, scalable IPSec implementation.
• Allows dynamic authentication of peers.
Supported Standards
Cisco implements the following standards:
• IKE—Internet Key Exchange. A hybrid protocol that implements Oakley and Skeme key exchanges
inside the ISAKMP framework. IKE can be used with other protocols, but its initial implementation
is with the IPSec protocol. IKE provides authentication of the IPSec peers, negotiates IPSec keys,
and negotiates IPSec security associations.
IKE is implemented in accordance with RFC 2409, The Internet Key Exchange.
• IPSec—IP Security Protocol. IPSec is a framework of open standards that provides data
confidentiality, data integrity, and data authentication between participating peers. IPSec provides
these security services at the IP layer; it uses IKE to handle negotiation of protocols and algorithms
based on local policy and to generate the encryption and authentication keys to be used by IPSec.
IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of
security gateways, or between a security gateway and a host.
For more information on IPSec, see the chapter “Configuring IPSec Network Security.”
• ISAKMP—Internet Security Association and Key Management Protocol. A protocol framework
that defines payload formats, the mechanics of implementing a key exchange protocol, and the
negotiation of a security association.
ISAKMP is implemented in accordance with the latest version of the Internet Security Association
and Key Management Protocol (ISAKMP) Internet Draft (RFC 2408).
• Oakley—A key exchange protocol that defines how to derive authenticated keying material.
• Skeme—A key exchange protocol that defines how to derive authenticated keying material, with
rapid key refreshment.
The component technologies implemented for use by IKE include the following:
• DES—Data Encryption Standard. An algorithim that is used to encrypt packet data. IKE implements
the 56-bit DES-CBC with Explicit IV standard. Cipher Block Chaining (CBC) requires an
initialization vector (IV) to start encryption. The IV is explicitly given in the IPSec packet.
Cisco IOS software also implements Triple DES (168-bit) encryption, depending on the software
versions available for a specific platform. Triple DES (3DES) is a strong form of encryption that
allows sensitive information to be transmitted over untrusted networks. It enables customers,
particularly in the finance industry, to utilize network-layer encryption.
Note Cisco IOS images that have strong encryption (including, but not limited to, 56-bit data
encryption feature sets) are subject to United States government export controls, and
have a limited distribution. Images that are to be installed outside the United States
require an export license. Customer orders might be denied or subject to delay because
of United States government regulations. Contact your sales representative or distributor
for more information, or send e-mail to [email protected].
• Diffie-Hellman—A public-key cryptography protocol that allows two parties to establish a shared
secret over an unsecure communications channel. Diffie-Hellman is used within IKE to establish
session keys. 768-bit and 1024-bit Diffie-Hellman groups are supported.
• MD5 (HMAC variant)—Message Digest 5. A hash algorithm used to authenticate packet data.
HMAC is a variant that provides an additional level of hashing.
• SHA (HMAC variant)—Secure Hash Algorithm. A hash algorithm used to authenticate packet data.
HMAC is a variant that provides an additional level of hashing.
• RSA signatures and RSA encrypted nonces—RSA is the public key cryptographic system developed
by Ron Rivest, Adi Shamir, and Leonard Adleman. RSA signatures provide nonrepudiation, and
RSA encrypted nonces provide repudiation. (Repudation and nonrepudation have to do with
traceability.)
IKE interoperates with the following standard:
X.509v3 certificates—Used with the IKE protocol when authentication requires public keys. This
certificate support allows the protected network to scale by providing the equivalent of a digital ID card
to each device. When two devices wish to communicate, they exchange digital certificates to prove their
identity (thus removing the need to manually exchange public keys with each peer or to manually specify
a shared key at each peer).
List of Terms
Anti-Replay
Anti-replay is a security service in which the receiver can reject old or duplicate packets in order to
protect itself against replay attacks. IPSec provides optional anti-replay services by use of a sequence
number combined with the use of authentication.
Data Authentication
Data authentication includes two concepts:
• Data integrity (verifying that data has not been altered)
• Data origin authentication (verifying that the data was actually sent by the claimed sender)
Data authentication can refer either to integrity alone or to both of these concepts (although data origin
authentication is dependent upon data integrity).
Peer
In the context of this chapter, “peer” refers to a router or other device that participates in IPSec and IKE.
Repudiation
Repudation is a quality that prevents a third party from being able to prove that a communication
between two other parties ever took place. This is a desirable quality if you do not want your
communications to be traceable. Nonrepudiation is the opposite quality—a third party can prove that a
communication between two other parties took place. Nonrepudiation is desirable if you want to be able
to trace your communications and prove that they occurred.
Security Association
A security association (SA) describes how two or more entities will utilize security services to
communicate securely. For example, an IPSec SA defines the encryption algorithm (if used), the
authentication algorithm, and the shared session key to be used during the IPSec connection.
Both IPSec and IKE require and use SAs to identify the parameters of their connections. IKE can
negotiate and establish its own SA. The IPSec SA is established either by IKE or by manual user
configuration.
Whether Cisco IOS software initiates main mode or aggressive mode, the following restrictions are
applicable:
• The initiating router must not have a certificate associated with the remote peer.
• The preshared key must be by fully qualified domain name (FQDN) on both peers.; thus, you have
to enter the crypto isakmp key keystring hostname peer-address command in configuration mode.
• The communicating routers must have a FQDN host entry for each other in their configurations.
• The communicating routers must be configured to authenticate by hostname, not by IP address; thus,
you should use the crypto isakmp identity hostname command.
To disable or enable IKE, use one of the following commands in global configuration mode:
Command Purpose
Router(config)# no crypto isakmp enable Disables IKE.
Router(config)# crypto isakmp enable Enables IKE.
If you disable IKE, you can skip the rest of the tasks in this chapter and go directly to IPSec
configuration, as described in the chapter “Configuring IPSec Network Security.”
These parameters apply to the IKE negotiations when the IKE security association is established.
Note Depending on which authentication method is specified in a policy, additional configuration might
be required (as described in the section “Additional Configuration Required for IKE Policies”). If a
peer’s policy does not have the required companion configuration, the peer will not submit the policy
when attempting to find a matching policy with the remote peer.
Creating Policies
You can create multiple IKE policies, each with a different combination of parameter values. For each
policy that you create, you assign a unique priority (1 through 10,000, with 1 being the highest priority).
You can configure multiple policies on each peer—but at least one of these policies must contain exactly
the same encryption, hash, authentication, and Diffie-Hellman parameter values as one of the policies
on the remote peer. (The lifetime parameter does not necessarily have to be the same; see details in the
section “How Do IKE Peers Agree upon a Matching Policy?”)
If you do not configure any policies, your router will use the default policy, which is always set to the
lowest priority, and which contains the default value of each parameter.
To configure a policy, use the following commands, beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# crypto isakmp policy priority Identifies the policy to create. (Each policy is
uniquely identified by the priority number you
assign.)
(This command puts you into the config-isakmp
command mode.)
Step 2 Router(config-isakmp)# encryption {des | 3des} Specifies the encryption algorithm.
Step 3 Router(config-isakmp)# hash {sha | md5} Specifies the hash algorithm.
Step 4 Router(config-isakmp)# authentication {rsa-sig | Specifies the authentication method.
rsa-encr | pre-share}
Step 5 Router(config-isakmp)# group {1 | 2} Specifies the Diffie-Hellman group identifier.
Step 6 Router(config-isakmp)# lifetime seconds Specifies the lifetime of the security association.
Step 7 Router(config-isakmp)# exit Exits the config-isakmp command mode.
Step 8 Router(config)# exit Exits the global configuration mode.
Step 9 Router# show crypto isakmp policy (Optional) Displays all existing IKE policies.
(Use this command in EXEC mode.)
If you do not specify a value for a parameter, the default value is assigned.
Note The default policy and the default values for configured policies do not show up in the configuration
when you issue a show running command. Instead, to see the default policy and any default values
within configured policies, use the show crypto isakmp policy command.
Command Purpose
Step 1 Router(config)# crypto key generate rsa [usage-keys] Generates RSA keys.
Step 2 Router# show crypto key mypubkey rsa Displays the generated RSA public key (in EXEC
mode).
Remember to repeat these tasks at each peer (without CA support) that uses RSA encrypted nonces in
an IKE policy.
Command Purpose
Step 1 Router(config)# crypto isakmp identity {address | At the local peer: Specifies the peer’s ISAKMP
hostname} identity by IP address or by host name.1
Step 2 Router(config)# ip host hostname address1 At all remote peers: If the local peer’s ISAKMP
[address2...address8] identity was specified using a host name, maps the
peer’s host name to its IP address(es) at all the remote
peers. (This step might be unnecessary if the host
name or address is already mapped in a DNS server.)
1.See the crypto isakmp identity command description for guidelines for when to use the IP address and when to use the host name.
Remember to repeat these tasks at each peer that uses preshared keys in an IKE policy.
Command Purpose
Step 1 Router(config)# crypto key pubkey-chain rsa Enters public key chain configuration mode.
Step 2 Router(config-pubkey-c)# named-key key-name Indicates which remote peer’s RSA public key you
[encryption | signature] are going to specify. Enters public key configuration
mode.
or If the remote peer uses its host name as its ISAKMP
Router (config-pubkey-c)# addressed-key key-address identity, use the named-key command and specify
[encryption | signature] the remote peer’s fully qualified domain name (such
as somerouter.example.com) as the key-name.
If the remote peer uses its IP address as its ISAKMP
identity, use the addressed-key command and
specify the remote peer’s IP address as the
key-address.
Step 3 Router(config-pubkey-k)# address ip-address Specifies the remote peer’s IP address.
You can optionally use this command if you used a
fully qualified domain name to name the remote peer
in Step 2 (using the named-key command).
Step 4 Router(config-pubkey-k)# key-string Specifies the remote peer’s RSA public key. This is
key-string the key previously viewed by the remote peer’s
administrator when the remote router’s RSA keys
were generated.
Step 5 Router(config-pubkey-k)# quit Returns to public key chain configuration mode.
Step 6 — Repeat Steps 2 through 4 to specify the RSA public
keys of all the other IPSec peers that use RSA
encrypted nonces in an IKE policy.
Step 7 Router(config-pubkey-c)# exit Returns to global configuration mode.
Remember to repeat these tasks at each peer that uses RSA encrypted nonces in an IKE policy.
To view RSA public keys while or after you configure them, use the following command in EXEC mode:
Command Purpose
Router# show crypto key pubkey-chain rsa {name Displays a list of all the RSA public keys stored on your router,
key-name | address key-address} or displays details of a particular RSA public key stored on your
router.
Command Purpose
Step 1 Router(config)# crypto isakmp key keystring address At the local peer: Specifies the shared key to be used
peer-address with a particular remote peer.
or If the remote peer specified its ISAKMP identity with
Router(config)# crypto isakmp key keystring hostname
an address, use the address keyword in this step;
peer-hostname otherwise use the hostname keyword in this step.
Step 2 Router(config)# crypto isakmp key keystring address At the remote peer: Specifies the shared key to be
peer-address used with the local peer. This is the same key you just
specified at the local peer.
or
Router(config)# crypto isakmp key keystring hostname
If the local peer specified its ISAKMP identity with
peer-hostname an address, use the address keyword in this step;
otherwise use the hostname keyword in this step.
Step 3 — Repeat Steps 1 and 2 for each remote peer.
Remember to repeat these tasks at each peer that uses preshared keys in an IKE policy.
Note Using 0.0.0.0 as a subnet address is not recommended because it encourages group preshared keys,
which allow all peers to have the same group key, thereby reducing the security of your user
authentication.
Command Purpose
Router(config)# crypto isakmp key keystring At the local peer: Specifies the shared key to be used with a
address peer-address [mask] particular remote peer and the mask IP address.
At the local peer: Specifies the shared key to be used with the
local peer and the mask IP address.
Note If you specify a mask, it is up to you to use a subnet
address.
Command Purpose
Router(config-crypto-map)# crypto map map-name Enables IKE querying of AAA for tunnel attributes in aggressive
isakmp authorization list list-name mode.
To configure IKE Mode Configuration on your Cisco access router, use the following commands in
global configuration mode:
Command Purpose
Step 1 router(config)# ip local pool pool-name start-addr Defines an existing local address pool that defines a
end-addr set of addresses. For more information on the ip local
pool command, refer to the Cisco IOS Dial
Technologies Command Reference.
Step 2 router(config)# crypto isakmp client configuration References the local address pool in the IKE
address-pool local pool-name configuration. For more information on the crypto
isakmp client configuration address-pool local
command, refer to the Cisco IOS Security Command
Reference.
Step 3 router(config)# crypto map tag client configuration Configures IKE Mode Configuration in global crypto
address [initiate | respond] map configuration mode. For more information on
the crypto map client configuration address
command, refer to the Cisco IOS Security Command
Reference.
To enable Xauth on a crypto map, perform the following task in crypto map configuration mode:
Command Purpose
Router(config)# crypto map map-name client Enables extended authentication (Xauth) on a crypto map.
authentication list list-name
Note After enabling Xauth, you should apply the crypto
map on which Xauth is configured to the router
interface.
To verify that the Xauth feature is enabled, use the show crypto map command in EXEC mode. If the
crypto map client authentication list command does not appear in the crypto map output, the Xauth
feature is not enabled.
Note TED helps only in discovering peers; otherwise, TED does not function any differently than normal
IPSec. TED does not improve the scalability of IPSec (in terms of performance or the number of
peers or tunnels).
Figure 36 and the corresponding steps explain a sample TED network topology.
60673
Network
TED Versions
The following table lists the available TED versions:
TED Restrictions
Tunnel Endpoint Discovery has the following restrictions:
• It is Cisco proprietary.
• It is available only on dynamic crypto maps. (The dynamic crypto map template is based on the
dynamic crypto map performing peer discovery. Although there are no access-list restrictions on the
dynamic crypto map template, the dynamic crypto map template should cover data sourced from the
protected traffic and the receiving router using the any keyword. When using the any keyword,
include explicit deny statements to exempt routing protocol traffic prior to entering the permit any
command.)
• TED works only in tunnel mode; that is, it does not work in transport mode.
• It is limited by the performance and scalability of limitation of IPSec on each individual platform.
Note Enabling TED slightly decreases the general scalability of IPSec because of the set-up
overhead of peer discovery, which involves an additional “round-trip” of IKE messages
(TED probe and reply). Although minimal, the additional memory used to store data
structures during the peer discovery stage adversely affects the general scalability of
IPSec.
To create a dynamic crypto map entry with Tunnel Endpoint Discovery (TED) configured, use the
following commands, beginning in crypto-map configuration mode:
Command Purpose
Step 1 Router(config)# crypto dynamic-map dynamic-map-name Configures a dynamic crypto map using the crypto
dynamic-map-number dynamic-map command.
Router (config-crypto-m)# set transform-set
transform-set-name1 Note You must configure a match address;
[transform-set-name2...transform-set-name6] otherwise, the behavior is not secure, and you
Router (config-crypto-m)# match address
cannot enable TED because packets are sent
access-list-id
Router (config-crypto-m)# set security-association in the clear (unencrypted.)
lifetime seconds seconds
and/or
Router (config-crypto-m)# set security-association
lifetime kilobytes kilobytes
Router (config-crypto-m)# set pfs [group1 | group2]
Router (config-crypto-m)# exit
Step 2 Router(config)# crypto map map-name map-number Adds a dynamic crypto map to a crypto map set.
ipsec-isakmp dynamic dynamic-map-name [discover]
Enter the discover keyword on the dynamic crypto
map to enable TED.
Command Purpose
Step 1 Router# show crypto isakmp sa Displays existing IKE connections; note the
connection identifiers for connections you want to
clear.
Step 2 Router# clear crypto isakmp [connection-id] Clears IKE connections.
Troubleshooting IKE
To assist in troubleshooting IKE, use the following commands in EXEC mode:
Command Purpose
Router# show crypto isakmp policy Displays the parameters for each configured IKE policy.
Router# show crypto isakmp sa Displays all current IKE security associations.
Router# show crypto map Displays the crypto map configuration.
Router# show running-config Verifies IKE configuration.
Router# debug crypto isakmp Displays debug messages about IKE events.
What To Do Next
After IKE configuration is complete, you can configure IPSec. IPSec configuration is described in the
chapter “Configuring IPSec Network Security.”
In the example, the encryption des of policy 15 would not appear in the written configuration because
this is the default value for the encryption algorithm parameter.
If the show crypto isakmp policy command is issued with this configuration, the output is as follows:
Protection suite priority 15
encryption algorithm:3DES - Triple Data Encryption Standard (168 bit keys)
hash algorithm:Message Digest 5
authentication method:Rivest-Shamir-Adleman Signature
Diffie-Hellman group:#2 (1024 bit)
lifetime:5000 seconds, no volume limit
Protection suite priority 20
encryption algorithm:DES - Data Encryption Standard (56 bit keys)
hash algorithm:Secure Hash Standard
authentication method:preshared Key
Diffie-Hellman group:#1 (768 bit)
lifetime:10000 seconds, no volume limit
Default protection suite
encryption algorithm:DES - Data Encryption Standard (56 bit keys)
hash algorithm:Secure Hash Standard
authentication method:Rivest-Shamir-Adleman Signature
Diffie-Hellman group:#1 (768 bit)
lifetime:86400 seconds, no volume limit
Note that although the output shows “no volume limit” for the lifetimes, you can configure only a time
lifetime (such as 86,400 seconds); volume-limit lifetimes are not configurable.
! This sets up a dynamic crypto-map, which will query AAA for a shared secret.