Internet Key Exchange

 

IKE Overview

The Internet Key Exchange protocol is used for the initial negotiation and assignment of security associations between two IPSec peers. IKE performs the following tasks:

  1. Specifies security parameters at both IPSec peers
  2. Specifies lifetimes for IPSec sessions
  3. Allows encryption keys to change during sessions
  4. Provides anti-replay services
  5. Allows dynamic authentication of peers

IKE negotiation begins by each peer agreeing on a common IKE policy which states the security parameters that will be used to protect subsequent IKE negotiations. The security parameters of the policy are identified by an security association established at each peer. These security associations apply to all subsequent IKE traffic during the negotiation.

There are five parameters to define in each IKE policy:

 

Keyword Meaning Description
des
3des 		56-bit DES-CBC
168-bit Triple DES 		Symmetric encryption algorithm used to protect user data transmitted between two IPSec peers. The default is 56-bit DES-CBC, which is less secure and faster than the alternative.
sha
md5 		SHA-1
MD5 		Hash algorithm used to ensure data integrity. The default is SHA-1. MD5 has a smaller digest and is considered to be slightly faster than SHA-1.
rsa-sig
pre-share 		RSA signatures
pre-shared keys 		Method of authentication used to establish the identify of each IPSec peer. The default, RSA signatures, provide non-repudiation for the IKE negotiation.

Pre-shared keys can be anything from the number 1 to a long string of random numbers. You do not need a certificate authority for pre-shared keys. The network administrator can generated identical keys at each peer and configure in a firewall using isakmp policy authentication do not scale well with a growing network but are easier to set up in a small network.

1
2 		768-bit
1024-bit 		Diffie-Hellman group identifiers used by IPSec peers to derive a shared secret without transmitting it to each other. The default, Group 1, requires less CPU time to execute, but is less secure than Group 2.
- any number of seconds SA lifetime. The default is 86,400 seconds or 24 hours. As a general rule, a shorter the lifetime (up to a point) provides more secure IKE negotiations. However, with longer lifetimes, future IPSec security associations can be set up more quickly.

There is an implicit trade-off between security and performance when you choose a specific value for each parameter. The level of security provided by the default values is adequate for the security requirements of most organizations. If you are interoperating with a peer that supports only one of the values for a parameter, the choice is limited to the other peer's supported value.

You can create multiple IKE policies, each with a different combination of parameter values. For each policy that you create, you assign a unique priority (1 through 65,534, with 1 being the highest priority). If you do not configure any policies, the firewall will use the default policy, which is always set to the lowest priority, and which contains each parameter's default value. If you do not specify a value for a specific parameter, the default value is assigned.

When the IKE negotiation begins, the peer that initiates the negotiation will send all its policies to the remote peer, and the remote peer will try to find a match. The remote peer checks each of its policies in order of its priority (highest priority first) until a match is found.

A match is made when both policies from the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values, and when the remote peer's policy specifies a lifetime less than or equal to the lifetime in the policy being compared. If the lifetimes are not identical, the shorter lifetime—from the remote peer's policy—will be used.

If no acceptable match is found, IKE refuses negotiation and IPSec will not be established. If a match is found, IKE will complete negotiation, and IPSec security associations will be created.

 

Configuring IKE

If you do not specify a value for a given policy parameter, the default value is assigned. If you enter a default value for a given policy parameter, it will not be included when you show the configuration.

To enable and configure IKE, perform the following steps:

  1. Identify the policy to create. Each policy is uniquely identified by the priority number you assign.
    isakmp policy priority

    For example:

    isakmp policy 20

  2. Specify the encryption algorithm:
    isakmp policy priority encryption des | 3des

    For example:

    isakmp policy 20 encryption des

  3. Specify the hash algorithm:
    isakmp policy priority hash md5 | sha

    For example:

    isakmp policy 20 hash md5

  4. Specify the authentication method:
    isakmp policy priority authentication pre-share | rsa-sig

    For example:

    isakmp policy 20 authentication rsa-sig

  5. Specify the Diffie-Hellman group identifier:
    isakmp policy priority group 1 | 2

    For example:

    isakmp pooicy 20 group2

  6. Specify the security association's lifetime:
    isakmp policy priority lifetime seconds

    For example:

    isakmp policy 20 lifetime 5000

    The following example shows two policies with policy 20 as the highest priority, policy 30 as the next priority, and the existing default policy as the lowest priority:


    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 authentication rsa-sig
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 5000
    isakmp policy 30 authentication pre-share
    isakmp policy 30 lifetime 10000

    In this example, the encryption des of policy 20 would not appear in the written configuration because this is the default for the encryption algorithm parameter.

  7. (Optional) View all existing IKE policies:
    show isakmp policy

The following is an example of the output after the policies 20 and 30 in the previous example were configured: 

 Protection suite priority 20
 encryption algorithm:   DES - Data Encryption Standard (56 bit keys)
 hash algorithm: Message Digest 5
  authentication method:  Rivest-Shamir-Adleman Signature
 Diffie-Hellman group:   #2 (1024 bit)
 lifetime:       5000 seconds, no volume limit
 Protection suite priority 30
 encryption algorithm:   DES - Data Encryption Standard (56 bit keys)
 hash algorithm: Secure Hash Standard
  authentication method:  Pre-Shared Key
 Diffie-Hellman group:   #1 (768 bit)
 lifetime:       10000 seconds, no volume limit
 Default protection suite
 encryption algorithm:   DES - Data Encryption Standard (56 bit keys)
 hash algorithm: Secure Hash Standard
  authentication method:  Rivest-Shamir-Adleman Signature
 Diffie-Hellman group:   #1 (768 bit)
 lifetime:       86400 seconds, no volume limit

Although the output shows "no volume limit" for the lifetimes, you can currently only configure a time lifetime (such as 86,400 seconds) with IKE; volume limit lifetimes are not currently configurable.

 

Disabling IKE

To disable IKE:

To disable IKE, use the following command:

no crypto isakmp enable interface-name

For example:

no crypto isakmp enable outside

Once IKE is disabled:

  1. Manually specify IPSec SAs in the crypto maps at all peers.
  2. Specify that IPSec SAs never time out
  3. Never change change the encryption keys during a session
  4. Anti-replay services will not be available
  5. CA support cannot be used.

 

Using IKE with Pre-Shared Keys

If you use the IKE authentication method of pre-share keys, manually configure these keys on the firewall and its peer(s). You can specify the same key to share with multiple peers, but it is more secure to specify different keys to share between different pairs of peers. To configure a pre-shared key on the firewall, perform the following steps.

  1. To configure the firewall host name run:

    For example:

    hostname firewallname

    Each peer sends its identity to other peers using either an IP address (default) or a host name. Set all peers' identities the same way: all peers using IP addresses or all peers using host names.

    With hostnames IKE negotiations could fail if DNS lookup is unable to resolve identities.

  2. To configure the firewall domain name:
    domain-name name

    For example:

    domain-name example.com

  3. Specify the pre-shared key at the firewall:
    isakmp key keystring address peer-address [netmask mask]

This is the key that the firewall and its peer will use for authentication and the peer's address.

For example:

isakmp key 1234567890 address 192.168.1.100

The pre-shared key is 1234567890, and the peer's address is 192.168.1.100.

Netmask allows you to configure a single key to be shared among multiple peers. You would use the netmask of 0.0.0.0. However, we strongly recommend using a unique key for each peer.

Specify the pre-shared key at the remote IPSec peer.

The pre-shared key should be configured at both the firewall and its peer, otherwise the policy cannot be used. To configure a pre-shared key associated with a given security gateway to be distinct from a wildcard, pre-shared key (pre-shared key plus a netmask of 0.0.0.0) used to identify and authenticate the remote VPN clients.