Patton electronic SmartNode 4110 Series Key management IKE, Creating an Ipsec transform profile

Key management (IKE)

In addition to manual keyed IPSEC connections, support for automatically keyed IPSEC connections using the Internet Key Exchange (IKE / RFC2409) protocol has been integrated, which is based on Internet Security Association and Key Management Protocol (ISAKMP / RFC2408). The IKE module supports authentication using pre-shared keys. There is currently no support for authentication using Public Key Infrastructure (PKI) and digital certificates.

IKE is used to establish a shared secret between two peers, which can be used to derive encryption and/or authentication keys for the exchange of encrypted and or authenticated packets between the peers through an IPSEC connection. IKE also authenticates the two peers to thwart man in the middle attacks. In addition IKE empowers IPSEC to do replay protection to prevent re-injection of previously captured packets into the pro- tected network. Furthermore IKE negotiates a set of cryptographic transforms used by IPSEC for encryption and/or authentication of IP packets. IKE is also responsible for periodic establishment of new session keys for the ISPEC security associations.

To achieve all of this, IKE is split into two phases called MAIN MODE and QUICK MODE.

In MAIN MODE, IKE mutually authenticates the peers, establishes a shared secret between them and negoti- ates cryptographic transforms in order to create an ISAKMP security association between the two peers. The ISAKMP security association is only used to provide a secure, authenticated and encrypted channel between the peers, which can be used for any further communication.

In QUICK MODE, IKE negotiates all the security parameters like cryptographic transforms, SPIs and sessions keys, which are required to establish one or more IPSEC security association. All the communication in QUICK MODE is protected by a previously established ISAKMP security association. Note that the same ISAKMP security association can be used to establish multiple quick modes.

Main differences between manual & IKE IPSEC configurations

•For IKE connections the ACLs must allow traffic from and to UDP port 500 in plaintext, because this port is used by IKE to negotiate security associations.

•In addition to the ¨profiile ipsec-transform¨, which defines the cryptographic transforms used for the IPSEC connections, it is necessary to define also a ¨profiile isakmp-transform¨, which defines the crypto- graphic transforms used to protect the negotiation of new IPSEC security associations using ISAKMP.

•Instead of the ¨profile ipsec-policy-manual¨, which is used to create manual keyed IPSEC connections, you need to create a ¨profile ipsec-policy-isakmp¨, which contains all the IKE specific configuration options.

Creating an IPSEC transform profile

First you need to create at least one IPSEC transform profile as described in Chapter 26 of the Software Con- figuration Guide. In addition to the parameters used also for manually keyed IPSEC security associations, you