User`s manual

ManualsBrandsAudioCodes ManualsNetworkingMediant 1000

321

322

323

324

325

326

327

328

329

330

Mediant 1000

H.323 User's Manual 322 Document #: LTRT-83401

13.1.1 IKE

IKE is used to obtain the Security Associations (SA) between peers (the gateway and the

application it’s trying to contact). The SA contains the encryption keys and profile used by

the IPSec to encrypt the IP stream. The IKE table lists the IKE peers with which the

gateway performs the IKE negotiation (up to 20 peers are available).

The IKE negotiation is separated into two phases: main mode and quick mode. The main

mode employs the Diffie-Hellman (DH) protocol to obtain an encryption key (without any

prior keys), and uses a pre-shared key to authenticate the peers. The created channel

secures the messages of the following phase (quick mode) in which the IPSec SA

properties are negotiated.

The IKE negotiation is as follows:

 Main mode (the main mode creates a secured channel for the quick mode)

• SA negotiation: The peers negotiate their capabilities using two proposals. Each

proposal includes three parameters: Encryption method, Authentication protocol

and the length of the key created by the DH protocol. The key’s lifetime is also

negotiated in this stage. For detailed information on configuring the main mode

proposals, refer to Section 13.1.3.1 on page 323.

• Key exchange (DH): The DH protocol is used to create a phase-1 key.

• Authentication: The two peers authenticate one another using the pre-shared

key (configured by the parameter ‘IKEPolicySharedKey’).

 Quick mode (quick mode negotiation is secured by the phase-1 SA)

• SA negotiation: The peers negotiate their capabilities using a single proposal.

The proposal includes two parameters: Encryption method and Authentication

protocol. The lifetime is also negotiated in this stage. For detailed information on

configuring the quick mode proposal, refer to the SPD table under Section

13.1.3.2 on page 326.

• Key exchange: a symmetrical key is created using the negotiated SA.

IKE Specifications:

 Authentication mode: pre-shared key only

 Main mode is supported for IKE Phase 1

 Supported IKE SA encryption algorithms: Data Encryption Standard (DES), 3DES,

and Advanced Encryption Standard (AES)

 Hash types for IKE SA: SHA1 and MD5

13.1.2 IPSec

IPSec is responsible for encrypting and decrypting the IP streams.

The IPSec Security Policy Database (SPD) table defines up to 20 IP peers to which the

IPSec security is applied. IPSec can be applied to all packets designated to a specific IP

address or to a specific IP address, port (source or destination) and protocol type.

Each outgoing packet is analyzed and compared to the SPD table. The packet's

destination IP address (and optionally, destination port, source port and protocol type) are

compared to each entry in the table. If a match is found, the gateway checks if an SA

already exists for this entry. If it doesn’t, the IKE protocol is invoked (refer to Section 13.1.1

above) and an IPSec SA is established. The packet is encrypted and transmitted. If a

match isn’t found, the packet is transmitted un-encrypted.

Note: An incoming packet whose parameters match one of the entries of the SPD

table, but is received un-encrypted is dropped.