11/3/11

IKE Overview

[Con en ] [P e ] [Ne ] [Inde ] [Repo an E o ]

IKE O er ie
The IKE i e of p o ocol allo a pai of ec i ga e a o: D namicall e abli h a ec e nnel o e hich he ec i ga e a can e change nnel and ke info ma ion. Se p e -le el nnel o SA , incl ding nnel a ib e nego ia ion and ke managemen . The e nnel can al o be ef e hed and e mina ed on op of he ame ec e channel. IKE i ba ed on he Oakle and Skeme ke de e mina ion p o ocol and he ISAKMP f ame o k fo ke e change and ec i a ocia ion e abli hmen . IKE p o ide : A oma ic ke ef e hing on config able imeo . S ppo fo p blic ke inf a c e (PKI) a hen ica ion An i epla defen e. em .

IKE i la e ed on UDP and e UDP po 500 o e change IKE info ma ion be een he ec i ga e a . The efo e, UDP po 500 packe m be pe mi ed on an IP in e face in ol ed in connec ing a ec i ga e a pee . The follo ing ec ion e pand on he IKE f nc ionali a ailable fo he o e .

Main Mode and Aggressi e Mode

IKE pha e 1 nego ia ion a e ed o e abli h IKE SA . The e SA p o ec he IKE pha e 2 nego ia ion . IKE e one of o mode fo pha e 1 nego ia ion : main mode o agg e i e mode. The choice of main o agg e i e mode i a ma e of adeoff . Some of he cha ac e i ic of he o mode a e: Main mode P o ec he iden i ie of he pee d ing nego ia ion and i he efo e mo e ec e. Allo g ea e p opo al fle ibili han agg e i e mode. I mo e ime con ming han agg e i e mode beca e mo e me age a e e changed be een pee . (Si me age a e e changed in main mode.) Agg e i e mode E po e iden i ie of he pee o ea e d opping, making i le ec e han main mode. I fa e han main mode beca e fe e me age a e e changed be een pee . (Th ee me age a e e changed in agg e i e mode.) The ne ec ion de c ibe agg e i e mode in mo e de ail.
/ipsec-config5.html 1/4

juniper.net/techpubs/software/erx/erx51x/

11/3/11

IKE Overview

Aggressive Mode Negotiations

D i g agg e i e Whe agg e i i ia e e Whe e a de ha e 1 eg ia i , he E- e ie e beha e a f :

he e i he i i ia , he e ea che a ic e fi d h e ha a i e de. The e he e ec he e i h highe i i a d e he e ha e 1 eg ia i . If he e a e ic e i h agg e i e de a ed, he e ec he highe - i i e ha a ai de. he e i he e de , he eg ia i de e d ha he i i ia e ,a ha i c fig ed i he ic e. f i i ia eg ia i e a a d ic e .A h , a e ace a e ha he

Tab e 12-6 i e he ib e c bi a i a i g agg e i e de i a ic ea i i ia e e . Tab e 12-6 I i ia a a d ic

Initiator Requests Responder Polic Rule Match Agg e i e Agg e i e Mai Mai de de de de Agg e i e a Agg e i e Agg e i e a Agg e i e a a ed ed ed ed Ye N Ye Ye

The i i ia

e e d . A a ch ea

ha e 1 eg ia i i h he highe i i ha a a a e e , i c di g he e cha ge

ic e ha e, a ch.

a che he

IKE Policies
A IKE ic defi e a c bi a i f ec i a a e e be ed d i g he IKE SA eg ia i . IKE icie a e c fig ed b h ec i ga e a ee , a d he e be a ea e ic he ca ee ha a che a ic he e e ee . Faii g ha , he ee i be ab e cce f eg ia e he IKE SA, a d da a f i be ib e. IKE icie a e g ba he e . E e IPSec e ice i e d e a e e he a e e f icie he eg ia i g IKE SA . The ag eed- IKE SA be ee he ca e a da e e ec i ga e a a a , beca e i de e d he IKE icie ed b each e e ee . H e e , he i i ia e f IKE icie he e e i a a he a e a d i de e de f hich ee he e i eg ia i g i h. D i g eg ia i , he e a i IKE icie ha e i e a a e e ha a e f he e e ec i ga e a i h hich he IKE SA i bei g eg ia ed. Y ca defi e e IKE icie , i h each ic ha i g a diffe e c bi a i c fig ed f ec i
2/4

juniper.net/techpubs/software/erx/erx51x/

/ipsec-config5.html

11/3/11

IKE Overview

a a e e . A defa IKE ic ha c ai defa a e f e e ic a a e e i a aiab e. Thi ic i ed he IKE icie a e c fig ed a d IKE i e i ed. The f i g ec i de c ibe each f he a a e e c ai ed i a IKE ic .

Priorit
Pi i a be e ( e ec e) The fac i e ai ha e e IKE icie be gi e efe e ce d i g he eg ia i ce . ic i c ide ed ec e e gh ec e he IKE SA f .

D i g IKE eg ia i a icie a e ca ed, e a a i e, a i g f he highe - i i ic a d e di g i h he e - i i ic . The fi ic ha he ee ec i ga e a acce i ed f ha IKE e i . Thi ced e i e ea ed f e e IKE e i ha eed be e ab i hed.

Encr ption
A ecific e c a g i h a e: DES 3DES i a f ca be a ied a IKE ic . The ed e c i

Hash Function
A ecific ha h f c i MD5 SHA-1 IKE a e a a he ica i a g i h d i g IKE e cha ge . Thi a he ica i a a ica e he HMAC e i f he ecified ha h a g i h . The ef e, he ha h f c i e MD5 a d a he ica i a g i h e HMAC-SHA. ag ih i ca ha e ca be ecified a IKE ic . The ed e a e:

Authentication Mode
A a f he IKE c , e ec i ga e a eed a he ica e he he ec i ga e a a e e ha he IKE SA i e ab i hed i h he i e ded a . The E- e ie e a he ica i eh d : Digi a ce ifica e ( i g RSA a g i h )

F digi a ce ifica e a he ica i , a i i ia ig e age i e cha ge da a i g hi i a e e ,a da e de e he i i ia ' b ic e e if he ig a e. T ica , he b ic e i e cha ged ia e age c ai i g a X.509 3 ce ifica e. Thi ce ifica e ide a e e f a a ce ha a ee ' ide i (a e e e ed i he ce ifica e) i a cia ed i h a a ic a b ic e .
juniper.net/techpubs/software/erx/erx51x/ /ipsec-config5.html 3/4

11/3/11

IKE Overview

For more information, see Chap e 13, Config ing Digi al Ce ifica e . Preshared keys With preshared key authentication mode, the same secret string (similar to a password) must be configured on both security gateways before the gateways can authenticate each other. It is not advisable to share a preshared key among multiple pairs of security gateways, because it reduces the key's security level. The router allows preshared keys to be up to 256 characters composed of any ASCII alphanumeric character.

Diffie-Hellman Gro p
An IKE policy must specify which Diffie-Hellmann group is used during the symmetrical key generation phase of IKE. The following Diffie-Hellmann groups are supported: Group 1 (768-bit) Group 2 (1024-bit) Group 5 (1536-bit)

Life ime
Like a user SA, an IKE SA should not last indefinitely. Therefore, the router allows you to specify a lifetime parameter for an IKE policy. The timer for the lifetime parameter begins when the IKE SA is established using IKE.

IKE SA Nego ia ion

As the initiator of an IKE SA, the router sends its IKE policies to the remote peer. If the peer has an IKE policy that matches the encryption, hash, authentication method, and Diffie-Hellmann group settings, the peer returns the matching policy. The peers use the lesser lifetime setting as the IKE SA lifetime. If no match is found, the IKE SA fails, and a log alarm is generated. As the responder of an IKE negotiation, the router receives all IKE policies from a remote security gateway. The router then scans its own list of IKE policies to check whether a match exists, starting from the highest priority. If it finds a match, that policy is successfully negotiated. Again, the lifetime is negotiated to the lesser of the two lifetimes, and failures are logged. [Contents] [Prev] [Next] [Index] [Report an Error] Copyright 1998-2005, Juniper Networks, Inc. All Rights Reserved. Trademark Notice. Privacy. home | contact us | search | feedback

juniper.net/techpubs/software/erx/erx51x/

/ipsec-config5.html

4/4