Home > 3Com > Router > 3Com Router User Manual

3Com Router User Manual

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual 3Com Router User Manual. The 3Com manuals for Router are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 591

    Page 591 41 CONFIGURING IKE This chapter covers the following topics: ■IKE Protocol Overview ■Configuring IKE ■Displaying and Debugging IKE ■IKE Configuration Example ■Troubleshooting IKE IKE Protocol OverviewThe Internet Key Exchange (IKE) protocol , implements hybrid protocols of both Oakley and SKEME key exchanges in an ISAKMP network. This protocol defines standards for automatically authenticating IPSec peer end, negotiating security service and generating shared key, and provide services such as... 
    41
CONFIGURING IKE 
This chapter covers the following topics:
■IKE Protocol Overview
■Configuring IKE 
■Displaying and Debugging IKE
■IKE Configuration Example
■Troubleshooting IKE 
IKE Protocol OverviewThe Internet Key Exchange (IKE) protocol , implements hybrid protocols of both 
Oakley and SKEME key exchanges in an ISAKMP network. This protocol defines 
standards for automatically authenticating IPSec peer end, negotiating security 
service and generating shared key, and provide services such as...

    Page 592

    Page 592 588CHAPTER 41: CONFIGURING IKE Figure 176 Diagram of relationship between IKE and IPSec IKE features■Avoid specifying manually all IPSec security parameters in password mapping of both communication ends. ■Allow specifying the lifetime of IPSec SA ■Allow exchanging ciphering key during IPSec session ■Can provide anti-replay service by IPSec ■Allow manageable and scalable IPSec to implement certificate authorization support. ■Allow dynamic end-to-end authentication. Configuring IKE IKE configuration... 
    588CHAPTER 41: CONFIGURING IKE 
Figure 176   Diagram of relationship between IKE and IPSec
IKE features■Avoid specifying manually all IPSec security parameters in password mapping of 
both communication ends.
■Allow specifying the lifetime of IPSec SA
■Allow exchanging ciphering key during IPSec session 
■Can provide anti-replay service by IPSec
■Allow manageable and scalable IPSec to implement certificate authorization 
support.
■Allow dynamic end-to-end authentication.
Configuring IKE IKE configuration...

    Page 593

    Page 593 Configuring IKE 589 ■Hashing algorithm: SHA-1(HMAC anamorphosis) or MD5 (HMAC anamorphosis) algorithm ■Authentication method: RSA signature or RSA real-time encryption ■Diffie-Hellman group ID ■SA lifetime To negotiate the IKE policies used by two ends, the initiator sends all the IKE policies to the peer to negotiate the public IKE policy used by both sides. The remote terminal will match the received policy with all of its IKE policies as per the precedence order. The one of highest precedence will... 
    Configuring IKE 589
■Hashing algorithm: SHA-1(HMAC anamorphosis) or MD5 (HMAC 
anamorphosis) algorithm
■Authentication method: RSA signature or RSA real-time encryption
■Diffie-Hellman group ID
■SA lifetime
To negotiate the IKE policies used by two ends, the initiator sends all the IKE 
policies to the peer to negotiate the public IKE policy used by both sides. The 
remote terminal will match the received policy with all of its IKE policies as per the 
precedence order. The one of highest precedence will...

    Page 594

    Page 594 590CHAPTER 41: CONFIGURING IKE The system creates only the default IKE security policy that cannot be deleted or modified by users. Selecting an Encryption AlgorithmThe two types of encryption algorithms that are supported are the 56-bit DES-Cipher Block Chaining (DES-CBC) algorithm and the 168-bit 3DES-CBC algorithm. Before being encrypted, each plain text block performs exclusive-OR operation with an encryption block, thus the same plain text block never maps the same encryption and the security... 
    590CHAPTER 41: CONFIGURING IKE 
The system creates only the default IKE security policy that cannot be deleted or 
modified by users.
Selecting an Encryption 
AlgorithmThe two types of encryption algorithms that are supported are the 56-bit 
DES-Cipher Block Chaining (DES-CBC) algorithm and the 168-bit 3DES-CBC 
algorithm. Before being encrypted, each plain text block performs exclusive-OR 
operation with an encryption block, thus the same plain text block never maps the 
same encryption and the security...

    Page 595

    Page 595 Configuring IKE 591 There are two hashing algorithm options: SHA-1 and MD5. Both algorithms provide data source authentication and integrity protection mechanism. Compared with MD5, SHA-1 contained more summary information, and is more secure, but the authentication speed is relatively slow. A kind of attack subject to MD5 can be successful, though difficult, but HMAC anamorphous used by IKE can stop such attacks. Perform the following configurations in IKE proposal view. Ta b l e 660 Select... 
    Configuring IKE 591
There are two hashing algorithm options: SHA-1 and MD5. Both algorithms 
provide data source authentication and integrity protection mechanism. 
Compared with MD5, SHA-1 contained more summary information, and is more 
secure, but the authentication speed is relatively slow. A kind of attack subject to 
MD5 can be successful, though difficult, but HMAC anamorphous used by IKE can 
stop such attacks.
Perform  the following configurations in IKE proposal view.
Ta b l e 660   Select...

    Page 596

    Page 596 592CHAPTER 41: CONFIGURING IKE By default, SA lifetime is 86400 seconds (a day). It is recommended that the configured seconds should be greater than 10 minutes. Configuring IKE Keepalive TimerThe Keepalive function detects and deletes idle security association when the peer party is invalid and cannot operate. Usually, the initiator transmits a packet proving itself still alive to the peer party, while the responder confirms that the peer party is still alive after receiving it. The keepalive... 
    592CHAPTER 41: CONFIGURING IKE 
By default, SA lifetime is 86400 seconds (a day). It is recommended that the 
configured seconds should be greater than 10 minutes.
Configuring IKE 
Keepalive TimerThe Keepalive function detects and deletes idle security association when the peer 
party is invalid and cannot operate. Usually, the initiator transmits a packet proving 
itself still alive to the peer party, while the responder confirms that the peer party is 
still alive after receiving it. The keepalive...

    Page 597

    Page 597 IKE Configuration Example593 IKE Configuration Example■Hosts A and B communicates securely, and a security channel is established with IKE automatic negotiation between security gateways A and B. ■Configure an IKE policy on Gateway A, with Policy 10 is of highest priority and the default IKE policy is of the lowest priority. ■Pre-shared key authentication algorithm is adopted. Figure 177 Networking diagram of IKE configuration example 1Configure Security Gateway A. aConfigure a IKE Policy 10... 
    IKE Configuration Example593
IKE Configuration 
Example■Hosts A and B communicates securely, and a security channel is established 
with IKE automatic negotiation between security gateways A and B. 
■Configure an IKE policy on Gateway A, with Policy 10 is of highest priority and 
the default IKE policy is of the lowest priority.
■Pre-shared key authentication algorithm is adopted.
Figure 177   Networking diagram of IKE configuration example
1Configure Security Gateway A.
aConfigure a IKE Policy 10...

    Page 598

    Page 598 594CHAPTER 41: CONFIGURING IKE for protecting different data streams. At present, we use the user IP address to identify the user. got NOTIFY of type INVALID_ID_INFORMATION or drop message from X.X.X.X due to notification type INVALID_ID_INFORMATION Check whether ACL contents in ipsec policy configured at interfaces of both ends are compatible. It is recommended for the user to configure ACL of both ends to mirror each other. Unmatched policy Enable the debugging ike error command to see the... 
    594CHAPTER 41: CONFIGURING IKE 
for protecting different data streams. At present, we use the user IP address to 
identify the user. 
got NOTIFY of type INVALID_ID_INFORMATION
or
drop message from X.X.X.X due to notification type 
INVALID_ID_INFORMATION
Check whether ACL contents in ipsec policy configured at interfaces of both 
ends are compatible. It is recommended for the user to configure ACL of both 
ends to mirror each other. 
Unmatched policy
Enable the debugging ike error command to see the...

    Page 599

    Page 599 IX VPN Chapter 42Configuring VPN Chapter 43Configuring L2TP Chapter 44Configuring GRE 
    IX
VPN
Chapter 42Configuring VPN
Chapter 43Configuring L2TP 
Chapter 44Configuring GRE

    Page 600

    Page 600 596 
    596
    Start reading 3Com Router User Manual

    Related Manuals for 3Com Router User Manual

    All 3Com manuals