Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software
Information About Implementing IKE Security Protocol Configurations for IPSec Networks
SC-113
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
OL-20382-01
When two peers use IKE to establish IPSec security associations, each peer sends its identity to the
remote peer. Each peer sends either its hostname or its IP address, depending on how you have set the
ISAKMP identity of the router.
By default, the ISAKMP identity of a peer is the IP address of the peer. If appropriate, you could change
the identity to be the peer’s hostname instead. As a general rule, set the identities of all peers the same
way—either all peers should use their IP addresses or all peers should use their host names. If some peers
use their host names and some peers use their IP addresses to identify themselves to each other, IKE
negotiations could fail if the identity of a remote peer is not recognized and a domain name server (DNS)
lookup is unable to resolve the identity.
ISAKMP Profile Overview
The ISAKMP profile is an enhancement to Internet Security Association and Key Management Protocol
(ISAKMP) configurations. It enables modularity of ISAKMP configuration for Phase-1 negotiations.
This modularity allows mapping different ISAKMP parameters to different IP Security (IPSec) tunnels,
and mapping different IPSec tunnels to different VPN forwarding and routing (VRF) instances.
Currently, many applications and enhancements use the ISAKMP profile, including quality of service
(QoS), router certificate management, and Multiprotocol Label Switching (MPLS) VPN configurations.
An ISAKMP profile is a repository for IKE Phase-1 and IKE Phase-1.5 (also known as Xauth)
configuration for a set of peers. An ISAKMP profile applies parameters to an incoming IPSec connection
identified uniquely through its concept of match identity criteria. These criteria are based on the IKE
identity that is presented by incoming IKE connections and includes IP address, fully qualified domain
name (FQDN), and group (the Virtual Private Network [VPN] remote client grouping). The granularity
of the match identity criteria imposes the granularity of applying the specified parameters. The ISAKMP
profile applies parameters specific to each profile, such as trust points, peer identities, and Xauth
authentication, authorization, and accounting (AAA) list, and so forth. Consider the following guidelines
on when to use the ISAKMP profile:
• You have a router with two or more IPSec connections that require differing Phase-1 parameters for
different peers (for example, when you want to configure site-to-site and remote access on the same
router).
• You have an IPSec configuration using VRF-aware IPSec, which allows the use of single IP address
to connect to different peers with different IKE Phase-1 parameters. For an example of this
configuration, see
Configuring VRF-Aware: Example, page 148.
• When different custom Internet Key Exchange (IKE) Phase-1 policies may be needed for different
peers. One determining factor might be whether you are applying Xauth to a specific peer, rather
than applying it to every connection.
Note Remote-access IPSec, VRF-aware IPSec, and Xauth are supported only on the
Cisco XR 12000 Series Router.
To configure Xauth, perform the following tasks:
• Configure AAA (you must set up an authentication list). See the Configuring AAA Services on
Cisco
Cisco IOS XR Software module of Cisco IOS XR System Security Configuration Guide.
• Configure a static crypto ISAKMP profile (required). For configuration details, see the “How to
Configure the ISAKMP Profile” section on page 137.
• Configure a dynamic crypto ISAKMP profile (optional) . For configuration details, see the “How
to Configure the ISAKMP Profile” section on page 137.
To Next Page
Loading...
Need help?
General
