Ike configuration, Ike overview, Security mechanism of ike – H3C Technologies H3C SecPath F1000-E User Manual
Page 165: Data authentication, Configuration
1
IKE Configuration
This chapter includes these sections:
•
•
•
Displaying and Maintaining IKE
•
•
IKE Overview
Built on a framework defined by the Internet Security Association and Key Management Protocol
(ISAKMP), Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services
for IPsec, simplifying the application, management, configuration and maintenance of IPsec
dramatically.
Instead of transmitting keys directly across a network, IKE calculates shared keys after exchanging a
series of data. Thus, even if a third party captures all exchanged data that is used to calculate the keys,
it cannot calculate the keys.
The section covers these topics:
•
•
•
•
Relationship Between IKE and IPsec
•
Security Mechanism of IKE
IKE has a series of self-protection mechanisms and supports secure identity authentication, key
distribution, and IPsec SA establishment on unsecured networks.
Data authentication
Data authentication involves two concepts:
•
Identity authentication: Mutual identity authentication between peers. Two authentication methods
are available: pre-shared key authentication and PKI-based digital signature authentication (RSA
signature).
•
Identity protection: Encrypting the identity information with the generated keys before sending the
information.
DH
The Diffie-Hellman (DH) algorithm is a public key algorithm. With this algorithm, two peers can
exchange some data and then use the data to calculate the shared keys, rather than transmitting the keys
directly. Due to the decryption complexity, a third party cannot decrypt the keys even after intercepting
all the exchanged data.