Manualshelf

3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module
171172173174175176177178179180
11
IKE CONFIGURATION
IKE Overview
Brief Introduction to IKE Internet key exchange (IKE) is internet shared secret exchange protocol. It is a
mixed protocol, configured in a framework specified by Internet security
association and key management protocol (ISAKMP). IKE will provide automatic
negotiation and exchange of shared key for IPsec and configure Security
Association, thus to simplify IPsec application and management.
Network security has 2 meanings: one is internal LAN security, the other is external
data exchange security. The former is implemented by means of Firewall, network
address translation (NAT) etc. Emerging IPsec (IP Security) implements the latter.
IPsec Security Association can be established by manual configuration, but when
nodes increase in the network, manual configuration will be very difficult, and
hard to ensure security. In this case, the IKE automatic negotiation can be used to
establish Security Association and exchange shared secret.
IKE has a series of self-protection mechanisms to safely distribute shared key,
authenticate identity, and establish IPsec Security Association etc. in unsecured
network.
IKE security mechanism includes:
Diffie-Hellman (DH) exchange and shared key distribution
Diffie-Hellman algorithm is a shared key algorithm. The both parties in
communication can exchange some data without transmitting shared key and find
the shared key by calculation. The pre-condition for encryption is that the both
parties must have shared key. The merit of IKE is that it never transmits shared key
directly in the unsecured network, but calculates the shared key by exchanging a
series data. Even if the third party (e.g. Hackers) captured all exchange data used
to calculate shared key for both parties, he cannot figure out the real shared key.
Perfect Forward Secrecy (PFS)
PFS feature is a security feature. When a shared key is decrypted, there will be no
impact on the security of other shared keys, because these secrets have no
derivative relations among them. IPsec is implemented by adding one key
exchange during IKE negotiation phase II.
Identity authentication
Identity authentication will authenticate identity for both parties in
communication. Authentication key can input to generate shared secret. It is
impossible for different authentication keys to generate the same shared secret