Lantronix SLC 8000 Advanced Console Manager User Guide - Page 106

IKE Negotiation, Main Mode, Aggressive Mode, IKE Encryption, IKE Authentication, IKE DH Group

Page 106 highlights

IKE Negotiation IKE Version IKE Encryption IKE Authentication IKE DH Group 6: Basic Parameters The Internet Key Exchange (IKE) protocol is used to exchange security options between two hosts who want to communicate via IPSec. The first phase of the protocol authenticates the two hosts to each other and establishes the Internet Security Association Key Management Protocol Security Association (ISAKMP SA). The second phase of the protocol establishes the cryptographic parameters for protecting the data passed through the tunnel, which is the IPSec Security Association (IPSec SA). The IPSec SA can periodically be renegotiated to ensure security. The IKE protocol can use one of two modes: Main Mode, which provides identity protection and takes longer, or Aggressive Mode, which provides no identity protection but is quicker. With Aggressive Mode, there is no negotiation of which cryptographic parameters will be used; each side must give the correct cryptographic parameters in the initial package of the exchange, otherwise the exchange will fail. If Aggressive Mode is used, the IKE Encryption, IKE Authentication, and IKE DH Group must be specified. IKE Version settings to be used. Currently the accepted values are IKEv1, IKEv2 and Any. Default is IKEv2. Any uses IKEv2 when initiating but will accept any protocol version while responding. It is recommended that any IKE Encryption or ESP Encryption parameters that are selected be supported by the IKE Version that is used. Refer to the list of IKEv1 and IKEv2 cipher suites for more information. The type of encryption, 3DES, AES, AES192 or AES256, used for IKE negotiation. Any can be selected if the two sides can negotiate which type of encryption to use. Note: If IKE Encryption, Authentication and DH Group are set to Any, default cipher suite(s) will be used. If the console manager acts as an initiator, the tunnel will use a default IKE cipher of aes128-sha256-ecp256 (for IKEv1). For IKEv2 or when the console manager is the responder in tunnel initiation, it will propose a set of cipher suites and will accept the first supported proposal received from the peer. The type of authentication, SHA2_256, SHA2_384, SHA2_512, SHA1, or MD5, used for IKE negotiation. Any can be selected if the two sides can negotiate which type of authentication to use. The Diffie-Hellman Group, 2 (modp1024), 5 (modp1536), 14 (modp2048), 15 (modp3072), 16 (modp4096), 17 (modp6144), 18 (modp8192) or 19 (ecp256) can be used for IKE negotiation. Any can be selected if the two sides can negotiate which Diffie-Hellman Group to use. SLC™ 8000 Advanced Console Manager User Guide 106

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288
  • 289
  • 290
  • 291
  • 292
  • 293
  • 294
  • 295
  • 296
  • 297
  • 298
  • 299
  • 300
  • 301
  • 302
  • 303
  • 304
  • 305
  • 306
  • 307
  • 308
  • 309
  • 310
  • 311
  • 312
  • 313
  • 314
  • 315
  • 316
  • 317
  • 318
  • 319
  • 320
  • 321
  • 322
  • 323
  • 324
  • 325
  • 326
  • 327
  • 328
  • 329
  • 330
  • 331
  • 332
  • 333
  • 334
  • 335
  • 336
  • 337
  • 338
  • 339
  • 340
  • 341
  • 342
  • 343
  • 344
  • 345
  • 346
  • 347
  • 348
  • 349
  • 350
  • 351
  • 352
  • 353
  • 354
  • 355
  • 356
  • 357
  • 358
  • 359
  • 360
  • 361
  • 362
  • 363
  • 364
  • 365
  • 366
  • 367
  • 368
  • 369
  • 370
  • 371
  • 372
  • 373
  • 374
  • 375
  • 376
  • 377
  • 378
  • 379
  • 380
  • 381
  • 382
  • 383
  • 384
  • 385
  • 386
  • 387
  • 388
  • 389
  • 390
  • 391
  • 392
  • 393
  • 394
  • 395
  • 396
  • 397
  • 398
  • 399
  • 400
  • 401
  • 402
  • 403
  • 404
  • 405
  • 406
  • 407
  • 408
  • 409
  • 410
  • 411
  • 412
  • 413
  • 414
  • 415
  • 416
  • 417
  • 418
  • 419
  • 420
  • 421
  • 422
  • 423
  • 424
  • 425
  • 426
  • 427
  • 428
  • 429
  • 430
  • 431
  • 432
  • 433
  • 434
  • 435
  • 436
  • 437
  • 438
  • 439
  • 440
  • 441
  • 442
  • 443
  • 444
  • 445
  • 446
  • 447
  • 448
  • 449
  • 450
  • 451
  • 452
  • 453
  • 454
  • 455
  • 456
  • 457
  • 458
  • 459
  • 460
  • 461
  • 462
  • 463
  • 464
  • 465
  • 466
  • 467
  • 468
  • 469
  • 470
  • 471
  • 472

6: Basic Parameters
SLCâ„¢ 8000 Advanced Console Manager User Guide
106
IKE Negotiation
The Internet Key Exchange (IKE) protocol is used to exchange security
options between two hosts who want to communicate via IPSec. The first
phase of the protocol authenticates the two hosts to each other and
establishes the Internet Security Association Key Management Protocol
Security Association (ISAKMP SA). The second phase of the protocol
establishes the cryptographic parameters for protecting the data passed
through the tunnel, which is the IPSec Security Association (IPSec SA). The
IPSec SA can periodically be renegotiated to ensure security.
The IKE protocol can use one of two modes:
Main Mode
, which provides
identity protection and takes longer, or
Aggressive Mode
, which provides
no identity protection but is quicker. With Aggressive Mode, there is no
negotiation of which cryptographic parameters will be used; each side must
give the correct cryptographic parameters in the initial package of the
exchange, otherwise the exchange will fail. If Aggressive Mode is used, the
IKE Encryption
,
IKE Authentication
, and
IKE DH Group
must be
specified.
IKE Version
IKE Version settings to be used. Currently the accepted values are IKEv1,
IKEv2 and Any. Default is IKEv2. Any uses IKEv2 when initiating but will
accept any protocol version while responding.
It is recommended that any IKE Encryption or ESP Encryption parameters
that are selected be supported by the IKE Version that is used. Refer to the
list of
IKEv1
and
IKEv2
cipher suites for more information.
IKE Encryption
The type of encryption,
3DES
,
AES
,
AES192
or
AES256
, used for IKE
negotiation. Any can be selected if the two sides can negotiate which type of
encryption to use.
Note:
If IKE Encryption, Authentication and DH Group are set to
Any
,
default cipher suite(s) will be used. If the console manager acts as an
initiator, the tunnel will use a default IKE cipher of aes128-sha256-ecp256
(for IKEv1). For IKEv2 or when the console manager is the responder in
tunnel initiation, it will propose a set of cipher suites and will accept the first
supported proposal received from the peer.
IKE Authentication
The type of authentication,
SHA2_256
,
SHA2_384
,
SHA2_512
,
SHA1,
or
MD5
, used for IKE negotiation.
Any
can be selected if the two sides can
negotiate which type of authentication to use.
IKE DH Group
The Diffie-Hellman Group, 2 (modp1024), 5 (modp1536), 14 (modp2048),
15 (modp3072), 16 (modp4096), 17 (modp6144), 18 (modp8192) or 19
(ecp256) can be used for IKE negotiation. Any can be selected if the two
sides can negotiate which Diffie-Hellman Group to use.