IKE enhances IPSec by providing additional features and
flexibility. It makes IPSec easier to configure. IKE, defined in RFC 2409, is a
hybrid protocol which implements the Oakley key exchange and SKeme key exchange
inside the Internet Security Association and Key Management Protocol (ISAKMP)
framework. ISAKMP is defined in RFC 2408. ISAKMP, Oakley, and SKeme are
security protocols implemented by IKE. IKE provides authentication of the IPSec
peers, negotiates IPSec keys, and negotiates IPSec security associations.
The IKE tunnel protects the SA negotiations. After the SAs are in place,
IPSec protects the data that Alice and Bob exchange
.
IKE Mode
configuration allows a gateway to download an IP address, and other network
level configuration, to the client as part of an IKE negotiation. Using this
exchange, the gateway gives IP addresses to the IKE client to be used as an
inner IP address encapsulated under IPSec. This provides a known IP address for
the client, which can be matched against IPSec policy.
IKE provides the
following benefits:
- Eliminates the need to manually specify all the IPSec security parameters
in the crypto maps at both peers
- Allows administrators to specify a lifetime for the IPSec security
association
- Allows encryption keys to change during IPSec sessions
- Allows IPSec to provide anti-replay services
- Permits CA support for a manageable, scalable IPSec implementation
- Allows dynamic authentication of peers
The component technologies implemented for use by IKE are shown in
Figure
.
One of the most important factors in the IKE SA negotiation is the mutual
authentication of peers. Each peer must be sure that it is talking to the
correct peer, before negotiating traffic protection IPSec policies with it.
This mutual authentication is accomplished using the two-way authentication
methods available with IKE. IKE provides three defined methods for two-way
authentication:
- Authentication using a pre-shared secret
- Authentication using RSA encrypted nonces
- Authentication using RSA signatures
This course will focus on the pre-shared authentication method and RSA
signatures.