Key management (IKE)
368
SmartWare Software Configuration Guide
32 • VPN configuration
IN MANUAL ToBerne Tunnel no
200.200.200.1 - 1111 - - AES-CBC 128
3622/unlimited 19047/unlimited
OUT MANUAL ToBerne Tunnel no
200.200.200.1 - 2222 - - AES-CBC 128
2857/unlimited 19047/unlimited
Key management (IKE)
In addition to manual keyed IPSEC connections, support for automatically keyed IPSEC connections using
the Internet Key Exchange (IKE / RFC2409) protocol has been integrated, which is based on Internet Security
Association and Key Management Protocol (ISAKMP / RFC2408). The IKE module supports authentication
using pre-shared keys. There is currently no support for authentication using Public Key Infrastructure (PKI)
and digital certificates.
IKE is used to establish a shared secret between two peers, which can be used to derive encryption and/or
authentication keys for the exchange of encrypted and or authenticated packets between the peers through an
IPSEC connection. IKE also authenticates the two peers to thwart man in the middle attacks. In addition IKE
empowers IPSEC to do replay protection to prevent re-injection of previously captured packets into the pro-
tected network. Furthermore IKE negotiates a set of cryptographic transforms used by IPSEC for encryption
and/or authentication of IP packets. IKE is also responsible for periodic establishment of new session keys for
the ISPEC security associations.
To achieve all of this, IKE is split into two phases called MAIN MODE and QUICK MODE.
In MAIN MODE, IKE mutually authenticates the peers, establishes a shared secret between them and negoti-
ates cryptographic transforms in order to create an ISAKMP security association between the two peers. The
ISAKMP security association is only used to provide a secure, authenticated and encrypted channel between
the peers, which can be used for any further communication.
In QUICK MODE, IKE negotiates all the security parameters like cryptographic transforms, SPIs and sessions
keys, which are required to establish one or more IPSEC security association. All the communication in
QUICK MODE is protected by a previously established ISAKMP security association. Note that the same
ISAKMP security association can be used to establish multiple quick modes.
Main differences between manual & IKE IPSEC configurations
•
For IKE connections the ACLs must allow traffic from and to UDP port 500 in plaintext, because this port
is used by IKE to negotiate security associations.
•
In addition to the ¨profiile ipsec-transform¨, which defines the cryptographic transforms used for the
IPSEC connections, it is necessary to define also a ¨profiile isakmp-transform¨, which defines the crypto-
graphic transforms used to protect the negotiation of new IPSEC security associations using ISAKMP.
•
Instead of the ¨profile ipsec-policy-manual¨, which is used to create manual keyed IPSEC connections, you
need to create a ¨profile ipsec-policy-isakmp¨, which contains all the IKE specific configuration options.
Creating an IPSEC transform profile
First you need to create at least one IPSEC transform profile as described in Chapter 26 of the Software Con-
figuration Guide. In addition to the parameters used also for manually keyed IPSEC security associations, you