Relationship between ike and ipsec, Protocols and standards, Ike configuration prerequisites – H3C Technologies H3C SecPath F1000-E User Manual

123

•

Provides end-to-end dynamic authentication.

•

Identity authentication and management of peers influence IPsec deployment. A large-scale IPsec
deployment needs the support of certificate authorities (CAs) or other institutes which manage
identity data centrally.

Relationship between IKE and IPsec

Figure 81 Relationship between IKE and IPsec

Figure 81

illustrates the relationship between IKE and IPsec:

•

IKE is an application layer protocol using UDP and functions as the signaling protocol of IPsec.

•

IKE negotiates SAs for IPsec and delivers negotiated parameters and generated keys to IPsec.

•

IPsec uses the SAs set up through IKE negotiation for encryption and authentication of IP packets.

Protocols and standards

•

RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP)

•

RFC2409, The Internet Key Exchange (IKE)

•

RFC2412, The OAKLEY Key Determination Protocol

IKE configuration prerequisites

Before configuring IKE, you must determine the following parameters:

•

The strength of the algorithms for IKE negotiation, namely the security protection level, including the
identity authentication method, encryption algorithm, authentication algorithm, and DH group.

Different algorithms provide different levels of protection. A stronger algorithm means more resistant

to decryption of protected data but requires more resources. Generally, the longer the key, the

stronger the algorithm.

•

The pre-shared key or the PKI domain to which the certificate belongs. For more information about
the PKI configuration, see "Managing certificates" and "Managing public keys."

IKE

TCP/UDP

IPsec

TCP/UDP

IPsec

IKE

SA

negotiation

SA

Device A

Encrypted IP packets

Device B