3Com Router User Manual

							41
CONFIGURING IKE 
This chapter covers the following topics:
■IKE Protocol Overview
■Configuring IKE 
■Displaying and Debugging IKE
■IKE Configuration Example
■Troubleshooting IKE 
IKE Protocol OverviewThe Internet Key Exchange (IKE) protocol , implements hybrid protocols of both 
Oakley and SKEME key exchanges in an ISAKMP network. This protocol defines 
standards for automatically authenticating IPSec peer end, negotiating security 
service and generating shared key, and provide services such as automatic key 
exchange negotiation and security association creation, thus simplifying the use 
and management of IPSec.
IKE has a set of self-protection mechanism, which enables to securely deliver keys, 
authenticate ID and establish IPSec secure association in insecure network. 
After establishing security association by both parties of the security association, if 
the peer party is invalid and cannot operate normally (such as shut-off), the local 
party has no way to know about it. When the peer party restarts the machine, 
because there is a security association locally, the negotiation cannot be initiated, 
or only initiated by the peer party, or negotiated after timeout. Thus, the keepalive 
function of IKE will detect and delete the idle security association when the peer 
party was invalid and cannot operate normally.
IKE uses ISAKMP at two stages:
■The first stage is to negotiate to create a communication channel and 
authenticate it, as well as to provide confidentiality, message integrity and 
message source authentication services for further IKE communication 
between both parties. 
■The second stage is to use the created IKE SA to create IPSec SA.
The following figure shows the relationship between IKE and IPSec. 
						

							588CHAPTER 41: CONFIGURING IKE 
Figure 176   Diagram of relationship between IKE and IPSec
IKE features■Avoid specifying manually all IPSec security parameters in password mapping of 
both communication ends.
■Allow specifying the lifetime of IPSec SA
■Allow exchanging ciphering key during IPSec session 
■Can provide anti-replay service by IPSec
■Allow manageable and scalable IPSec to implement certificate authorization 
support.
■Allow dynamic end-to-end authentication.
Configuring IKE IKE configuration includes:
■Creating an IKE Security Policy
■Selecting an Encryption Algorithm
■Selecting an Authentication Algorithm
■Configuring Pre-shared Key
■Selecting the Hashing Algorithm
■Selecting DH Group ID
■Setting the Lifetime of IKE Association SA 
■Configuring IKE Keepalive Timer
Creating an IKE Security 
PolicyIKE negotiation determines whether IKE policies at both ends are matched and 
then reach a negotiation using an IKE policy. During the subsequent negotiation, 
the security data provided by this IKE policy will be used to protect negotiation 
data.
Multiple policies with priority must be created on each terminal to ensure that at 
least one policy can match that of the remote terminal.
■Encryption algorithm: At present, it includes 56-bit DES-CBC (DES-Cipher Block 
Chaining) algorithm and 168-bit 3DES-CBC algorithm.
TCP/UD
P
IPSec
IKEIKE
IPSec
TCP/UDPSA SASA negotiation
Encrypted IP message
IPRouter B
Router A 
						

							Configuring IKE 589
■Hashing algorithm: SHA-1(HMAC anamorphosis) or MD5 (HMAC 
anamorphosis) algorithm
■Authentication method: RSA signature or RSA real-time encryption
■Diffie-Hellman group ID
■SA lifetime
To negotiate the IKE policies used by two ends, the initiator sends all the IKE 
policies to the peer to negotiate the public IKE policy used by both sides. The 
remote terminal will match the received policy with all of its IKE policies as per the 
precedence order. The one of highest precedence will be first judged. If one IKE 
policy is found to have the same encryption, hash, authentication and 
Diffie-Hellman parameters with the received IKE policy, and its life cycle is equal to 
or longer than that specified by the received IKE policy, then the common IKE 
policy at both ends can be determined. (Note that if no life cycle is specified for 
the IKE policy, the relatively short policy life cycle of the remote terminal will be 
selected.) Then, IPSec security path will be created by using the IKE policy to 
protect the following data. Otherwise, IKE refuses negotiation, and will not create 
IPSec security path.
The following issues should be decided before configuring IKE:
■Determine the intensity of the authentication algorithm, encryption algorithm 
and Diffie-Hellman algorithm (the calculation resources consumed and the 
security capability provided). Different algorithms are of different intensities, 
and the higher the algorithm intensity is, the more difficult it is to decode the 
protected data, but the more resources are consumed. The longer key usually 
has higher algorithm intensity.
■Determine the security protection intensity needed in IKE exchange (including 
hashing algorithm, encryption algorithm, ID authentication algorithm and DH 
algorithm).
■Determine the authentication algorithm, encryption algorithm, hashing 
algorithm and Diffie-Hellman group.
■Determine the pre-shared key of both parties.
■Create IKE policy
The user can create multiple IKE policies, but must allocate a unique priority value 
for each created policy. Both parties in negotiation must have at least one 
matched policy for successfully negotiation, that is to say, a policy and the one in 
the remote terminal must have the same encryption, hashing, authentication and 
Diffie-Hellman parameters (the lifetime parameters may be a little different). If it is 
found that there are multiple matching policies after negotiation, the matching 
policy with higher priority will be matched first.
Perform the following configurations in system view.
Ta b l e 656   Create IKE Policy
OperationCommand
Create IKE policy and enter IKE proposal 
viewike proposal policy-number
Delete IKE policyundo ike proposal policy-number 
						

							590CHAPTER 41: CONFIGURING IKE 
The system creates only the default IKE security policy that cannot be deleted or 
modified by users.
Selecting an Encryption 
AlgorithmThe two types of encryption algorithms that are supported are the 56-bit 
DES-Cipher Block Chaining (DES-CBC) algorithm and the 168-bit 3DES-CBC 
algorithm. Before being encrypted, each plain text block performs exclusive-OR 
operation with an encryption block, thus the same plain text block never maps the 
same encryption and the security is enhanced.
Perform the following configurations in IKE proposal view.
Ta b l e 657   Select Encryption Algorithm
By default, DES-CBC encryption algorithm (i.e. parameter des-cbc) is adopted.
Selecting an 
Authentication 
AlgorithmPre-share key is the only supported authentication algorithm.
Perform the following configurations in IKE proposal view.
Ta b l e 658   Select Authentication Method
By default, pre share key (i.e., pre-share) algorithm is adopted.
Configuring Pre-shared 
KeyIf pre-shared key authentication method is selected, it is necessary to configure 
pre-shared key.
Perform the following configurations in system view.
Ta b l e 659   Configure Pre-shared Key
By default, both ends of the security channel have no pre-shared keys.
Selecting the Hashing 
AlgorithmHashing algorithms use HMAC framework to achieve its function. HMAC 
algorithm adopts an encryption hashing function to authenticate messages, 
providing frameworks to insert various hashing algorithms, such as SHA-1 and 
MD5.
OperationCommand
Select encryption algorithmencryption-algorithm { des-cbc | 
3des-cbc }
Set the encryption algorithm to the 
default valueundo encryption-algorithm
OperationCommand
Select authentication methodauthentication-method pre-share
Restore the authentication method to the 
default valueundo authentication-method pre-share
OperationCommand
Configure pre-shared keyike pre-shared-key key remote 
remote-address
Delete pre-shared key to restore its default 
valueundo ike pre-shared-key key remote 
remote-address 
						

							Configuring IKE 591
There are two hashing algorithm options: SHA-1 and MD5. Both algorithms 
provide data source authentication and integrity protection mechanism. 
Compared with MD5, SHA-1 contained more summary information, and is more 
secure, but the authentication speed is relatively slow. A kind of attack subject to 
MD5 can be successful, though difficult, but HMAC anamorphous used by IKE can 
stop such attacks.
Perform  the following configurations in IKE proposal view.
Ta b l e 660   Select Hashing Algorithm
By default SHA-1 hashing algorithm (i.e., parameter sha) is adopted.
Selecting DH Group IDThere are two DH (Diffie-Hellman) group ID options: 768-bit Diffie-Hellman group 
(Group 1) or 1024-bit Diffie-Hellman group (Group 2). The 1024-bit Diffie-Hellman 
group (Group 2) takes longer CPU time
Perform  the following configurations in IKE proposal view.
Ta b l e 661   Select DH Group ID
By default, 768-bit Diffie-Hellman group is selected.
Setting the Lifetime of 
IKE Association SA Lifetime means how long IKE exists before it becomes invalid. When IKE begins 
negotiation, it must first make its security parameters of the two parties be 
consistent. SA quotes the consistent parameters at each terminal, and each 
terminal keeps SA until its lifetime expires. Before SA becomes invalid, the sequent 
IKE negotiation can use it again. The new SA is negotiated before the current SA 
becomes invalid.
IKE negotiation can be set with a relatively short life cycle for the purpose of 
improving IKE negotiation security. There is a critical IKE life cycle value. If the 
policy lifetimes of the two terminals are different, that of the originating party will 
be taken as the lifetime of the IKE SA.
If the policy lifetimes of two terminals are different, only when the lifetime of 
originating terminals is reater than or equal to that of the peer end can the IKE 
policy be selected, and the shorter lifetime selected as IKE SA lifetime. 
Perform the following configurations in IKE proposal view.
Ta b l e 662   Set Lifetime of IKE Negotiation SA
OperationCommand
Select hashing algorithmauthentication-algorithm { md5 | sha 
}
Set hashing algorithm to the default valueundo authentication-algorithm
OperationCommand
Select DH group IDdh { group1 | group2 }
Restore the default value of DH group IDundo dh
OperationCommand
Set lifetime of IKE SAsa duration seconds
Set lifetime as the default valueundo sa duration 
						

							592CHAPTER 41: CONFIGURING IKE 
By default, SA lifetime is 86400 seconds (a day). It is recommended that the 
configured seconds should be greater than 10 minutes.
Configuring IKE 
Keepalive TimerThe Keepalive function detects and deletes idle security association when the peer 
party is invalid and cannot operate. Usually, the initiator transmits a packet proving 
itself still alive to the peer party, while the responder confirms that the peer party is 
still alive after receiving it. The keepalive function includes two timers, interval and 
timeout.
■The interval timer mainly assists in transmitting keepalive packets to the peer 
party, following a set time interval, to prove that it is still alive.
■The timeout timer mainly assists timing events to query the status of security 
tunnel periodically, and deletes the timed out security tunnel.
Configure the following in system view.
Ta b l e 663   Configure IKE Keepalive Timer
By default, the system does not enable IKE keepalive timing (interval and timeout) 
event. 
Usually, the interval and timeout timers are applied in pairs at the initiator side or 
the receiver side. If an interval timer is configured at one side, the other side 
should be configured with a timeout timer. In the actual application, if one side is 
configured with the timeout timer, the other side must be configured with the 
interval timer or the SA will be deleted. If one side is configured with the interval 
timer, it is not necessary to configure the timeout timer at the other side. To avoid 
the negative influence of network congestion on the keepalive function, you 
should set the value of the timeout timer three times higher than that of the 
interval timer.
Displaying and 
Debugging IKEUse debugging, reset and display commands in all views.
Ta b l e 664   Display and Debug IKE 
OperationCommand
Configure transmitting time interval of IKE 
keepalive packets (interval)ike sa keepalive-timer interval 
seconds
Delete interval timing event of IKE 
keepalive functionundo ike sa keepalive-timer 
interval
Configure IKE keepalive link timeout time 
(timeout)ike sa keepalive-timer timeout 
seconds
Delete timeout timing event of IKE 
keepalive function undo ike sa keepalive-timer timeout
OperationCommand
Display IKE security association parameterdisplay ike sa
Display IKE security policydisplay ike proposal
Delete the security channel established by 
IKEreset ike sa { connection-ike-sa-id | 
all }
Clear an SAdebugging ike { all | crypto | error 
| message | misc | sysdep | timer | 
transport } 
						

							IKE Configuration Example593
IKE Configuration 
Example■Hosts A and B communicates securely, and a security channel is established 
with IKE automatic negotiation between security gateways A and B. 
■Configure an IKE policy on Gateway A, with Policy 10 is of highest priority and 
the default IKE policy is of the lowest priority.
■Pre-shared key authentication algorithm is adopted.
Figure 177   Networking diagram of IKE configuration example
1Configure Security Gateway A.
aConfigure a IKE Policy 10
[RouterA]ike proposal 10
bSpecify the hashing algorithm used by IKE policy as MD5
[RouterA-ike-proposal-10] authentication-algorithm md5
cUse pre-shared key authentication method
[RouterA-ike-proposal-10] authentication-method pre-share
dConfigure “abcde” for peer 171.69.224.33
[RouterA] ike pre-share-key abcde remote 171.69.224.33
eConfigure IKE SA lifetime to 5000 seconds
[RouterA-ike-proposal-10] sa duration 5000
2Configure Security Gateway B.
aUse default IKE policy on Gateway B and configure the peer authentication 
word.
[RouterB] ike pre-share-key abcde remote 202.38.160.1
These steps configure IKE negotiation. To establish an IPSec security channel for 
secure communication, it is necessary to configure IPSec correspondingly. For 
detailed contents, see the configuration examples in IPSec Configuration.
Troubleshooting IKE When configuring parameters to establish IPSec security channel, you can use the 
debugging ike error command to enable error debugging of IKE. 
Invalid user ID information
User ID information is the data for the user originating IPSec communication to 
identify itself. In practical applications user ID establishes a different security path 
Host BHost A
Security Gateway B Internet
Security Gateway ASerial 0
202.38.160.1Serial 0
171.69.224.33 
						

							594CHAPTER 41: CONFIGURING IKE 
for protecting different data streams. At present, we use the user IP address to 
identify the user. 
got NOTIFY of type INVALID_ID_INFORMATION
or
drop message from X.X.X.X due to notification type 
INVALID_ID_INFORMATION
Check whether ACL contents in ipsec policy configured at interfaces of both 
ends are compatible. It is recommended for the user to configure ACL of both 
ends to mirror each other. 
Unmatched policy
Enable the debugging ike error command to see the debugging information.
got NOTIFY of type NO_PROPOSAL_CHOSEN
or
drop message from X.X.X.X due to notification type 
NO_PROPOSAL_CHOSEN
Both parties of negotiation have no matched policy. Check the protocol used by 
ipsec policy configured on interfaces of both parties to see whether the 
encryption algorithm and authentication algorithm are the same.
Unable to establish security channel
Follow these steps:
■Check whether the state of network is stable and whether the security channel 
has been properly established. You may encounter the situation as follows: the 
two parties cannot communicate via the existing security channel, while the 
access control list of two parties have been properly configured and there is a 
matching policy. This case is generally due to a party restarting the router after 
establishing the security channel. 
■Use the command display ike sa to check whether both parties have 
established SA of Phase 1.
■Use the command display ipsec sa policy to check whether the ipsec 
policy
 on interface has established IPSec SA.
■If the above two results show that one party has SA but the other does not, 
then use the command 
reset ike sa to clear SA with error and re-originate 
negotiation. 
						

							IX
VPN
Chapter 42Configuring VPN
Chapter 43Configuring L2TP 
Chapter 44Configuring GRE  
						

							596