281
Configuring IKE
Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1.
The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces.
Overview
Built on a framework defined by ISAKMP, Internet Key Exchange (IKE) provides automatic key negotiation
and SA establishment services for IPsec.
IKE provides the following benefits for IPsec:
• Automatically negotiates IPsec parameters.
• Performs DH exchanges to calculate shared keys, making sure each SA has a key that is
independent of other keys.
• Automatically negotiates SAs when the sequence number in the AH or ESP header overflows,
making sure IPsec can provide the anti-replay service by using the sequence number.
As shown in Figure 84, I
KE negotiates SAs for IPsec and transfers the SAs to IPsec, and IPsec uses the SAs
to protect IP packets.
Figure 84 Relationship between IKE and IPsec
IKE negotiation process
IKE negotiates keys and SAs for IPsec in two phases:
1. Phase 1—The two peers establish an IKE SA, a secure, authenticated channel for communication.
In this phase, two modes are available: main mode and aggressive mode.
2. Phase 2—Using the IKE SA established in phase 1, the two peers negotiate to establish IPsec SAs.
To Next Page
Loading...
Need help?
General