Motorola 6161252-00-01, Enterprise Series Routers manual Internet Key Exchange IKE Configuration

6-2 Administrator’s Handbook

The advantage of using IKE is that it automatically negotiates IPsec Security Associations and enables IPsec secure communications without having to manually enter the lengthy encryption keys at both ends of the connection. You enter a human-readable pass phrase or shared secret English sentence, like “my dog has fleas” on each end once. This pass phrase is used to authenticate each end to the other. Thereafter, the two ends periodically use a public key encryption method called Diffie-Hellman to exchange key material and then securely generate new authentication and encryption keys. The keys are automatically and continually changing, making the data exchanged using the keys inherently secure.

It also allows you to specify a lifetime for the IPsec Security Association and allows encryption keys to change periodically during IPsec sessions. You can set this period for key generation to as often as your security requirements dictate.

A Security Policy Database (SPD) now defines the security requirements. This is a significant change from earlier software implementations of IPsec. Traffic with a source IP address that falls within the local member specification of an IPsec tunnel and that is addressed to a destination IP address that falls within the remote member specification of that tunnel is not routed using the normal routing table. Instead it is forwarded using the security policy database to the remote security gateway (remote tunnel endpoint) specified in the IPsec tunnel configuration. It is not possible to send traffic outside the tunnel by bypassing the tunnel and the remote security gateway.

Note: To fully protect against IP address “spoofing” of local member addresses requires firewall rules to be installed on the WAN interface. These must prevent packets coming in through that interface with local member source addresses, since local member source addresses should only originate from the LAN. Otherwise it is theoretically possible for a malicious hacker to send packets through the tunnel by impersonating local member IP addresses. See the chapter “Security” on page 10-1 for more information.

Traffic originating from local member LAN addresses that is not addressed to remote member addresses, as well as traffic originating from local LAN IP addresses that do not match any local member specifications, is routed using the normal routing table. This means that if you want to restrict traffic from local members from going out to the Internet and force it all to go through one or more tunnels you need to specify remote members of 0.0.0.0 - 255.255.255.255 or 0.0.0.0/0. Traffic originating from the gateway, for example, Telnet, ping, DNS queries, will not use the default VPN definition even if the source addresses match. Traffic to and from the gateway is included in specific VPNs.

Internet Key Exchange (IKE) Configuration

IPsec tunnels are defined in the same manner as PPTP tunnels. (See “Virtual Private Networks (VPNs)” on page 5-1 for more information.) You configure the Connection Profile as follows.

From the Main Menu navigate to WAN Configuration and then Add Connection Profile.

The Add Connection Profile screen appears.