Downloads |
Table Of Contents
Supported Standards, MIBs, and RFCs
Configuring IKE Policy group 5
Configuring Crypto Map and Specifying PFS with the group 5 option
Verifying Diffie-Hellman Group 5
Configuring an IKE Policy Group 5 Example
Specifying PFS with the Group 5 Example
Diffie-Hellman Group 5
This document describes the Diffie-Hellman Group 5 feature. It includes information on the benefits of the new feature, supported platforms, related documents, and so on.
This document includes the following sections:
•
Supported Standards, MIBs, and RFCs
Feature Overview
The Diffie-Hellman Group 5 feature enables group 5 on all platforms that support crypto images. Group 5 specifies the 1536-bit Diffie-Hellman group, which is a method of establishing a shared key over an insecure medium.
To specify group 5, you must first enter either the set pfs command or the group command. The group 5 option works exactly like group 1 and group 2; however, group 5 provides a higher level of security and requires more process time than group 1 and group 2.
Benefits
The 1536-bit Diffie-Hellman group (group 5) provides more security than group 1 and group 2.
Restrictions
The set pfs command is available only for ipsec-isakmp crypto map entries and dynamic crypto map entries.
Related Documents
The following documents provide information related to the Diffie-Hellman Group 5 feature:
•
•
•
Supported Platforms
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Supported Standards, MIBs, and RFCs
Standards
No new or modified standards are supported by this feature.
MIBs
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on Cisco Connection Online (CCO) at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
•
Configuration Tasks
See the following sections for configuration tasks for the Diffie-Hellman Group 5 feature. Each task in the list is indicated as optional or required.
•
•
Configuring IKE Policy group 5
To configure an Internet Key Exchange policy with the 1536-bit Diffie-Hellman group (group 5), enter the following commands beginning in global configuration mode:
For more information on creating IKE policies, refer to the chapter "Configuring Internet Key Exchange Security Protocol" in the Cisco IOS Security Configuration Guide, Release 12.1.
Configuring Crypto Map and Specifying PFS with the group 5 option
To configure a crypto map and specify that perfect forward secrecy (group 5) should be used whenever a new security association is negotiated for the configured crypto map, enter the following commands beginning in global configuration mode:
For more information on creating or modifying crypto map sets, refer to the chapter "Configuring IPSec Network Security" in the Cisco IOS Security Configuration Guide, Release 12.1.
Verifying Diffie-Hellman Group 5
To display all existing IKE policies, use the show crypto isakmp policy command in EXEC mode.
To view information about your IPSec configuration, use the show crypto map command in EXEC mode.
Configuration Examples
This section provides the following configuration examples:
•
•
Configuring an IKE Policy Group 5 Example
The following example configures an IKE policy with the 1536-bit Diffie-Hellman group (group 5); all other parameters are set to the defaults:
crypto isakmp policy 25group 5Specifying PFS with the Group 5 Example
The following example specifies that IPSec should use the 1536-bit Diffie-Hellman prime modulus group (group5) whenever a new security association is negotiated for the crypto map "mymap 15":
crypto map mymap 15 ipsec-isakmpset pfs group5Command Reference
This section documents modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.1 command reference publications.
group (IKE policy)
To specify the Diffie-Hellman group identifier within an IKE policy, use the group Internet Security Association and Key Management Protocol (ISAKMP) policy configuration command. IKE policies define a set of parameters to be used during IKE negotiation. To reset the Diffie-Hellman group identifier to the default value, use the no form of this command .
group {1 | 2 | 5}
no group
Syntax Description
1
The 768-bit Diffie-Hellman group.
2
The 1024-bit Diffie-Hellman group.
5
The 1536-bit Diffie-Hellman group.
Defaults
768-bit Diffie-Hellman group (group 1).
Command Modes
ISAKMP policy configuration (config-isakmp)
Command History
Usage Guidelines
Use this command to specify the Diffie-Hellman group to be used in an IKE policy.
Examples
The following example configures an IKE policy with the 1024-bit Diffie-Hellman group (group 2); all other parameters are set to the defaults:
crypto isakmp policy 15group 2Related Commands
set pfs
To specify that IPSec should ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations, use the set pfs crypto map configuration command. To specify that IPSec should not request PFS, use the no form of the command.
set pfs [group1 | group2 | group5]
no set pfs
Syntax Description
Defaults
By default, PFS is not requested. If no group is specified with this command, group1 is used as the default.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
This command is available only for ipsec-isakmp crypto map entries and dynamic crypto map entries.
During negotiation, this command causes IPSec to request PFS when requesting new security associations for the crypto map entry. The default (group1) is sent if the set pfs statement does not specify a group. If the peer initiates the negotiation and the local configuration specifies PFS, the remote peer must perform a PFS exchange or the negotiation will fail. If the local configuration does not specify a group, a default of group1 will be assumed, and an offer of either group1, group2, or group5 will be accepted. If the local configuration specifies group2 or group5, that group must be part of the offer from the peer or the negotiation will fail. If the local configuration does not specify PFS, it will accept any offer of PFS from the peer.
PFS adds another level of security because if one key is ever cracked by an attacker then only the data sent with that key will be compromised. Without PFS, data sent with other keys could also be compromised.
With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs. This exchange requires additional processing time.
The 1024-bit Diffie-Hellman prime modulus group, group2, provides more security than group1, but requires more processing time than group1. However, the 1536-bit Diffie-Hellman prime modulus group, group5, provides more security than group1 and group2, but requires more processing time than group1 and group2.
Examples
The following example specifies that PFS should be used whenever a new security association is negotiated for the crypto map "mymap 10":
crypto map mymap 10 ipsec-isakmpset pfs group2Related Commands
Glossary
crypto map—A Cisco IOS software configuration entity that performs two primary functions: (1) it selects data flows that need security processing, and (2) it defines the policy for these flows and the crypto peer that traffic needs to go to. A crypto map is applied to an interface. The concept of a crypto map was introduced in classic crypto but was expanded for IPSec.
DH—See Diffie-Hellman.
Diffie-Hellman—A public-key cryptography protocol which allows two parties to establish a shared secret over an insecure communications channel. Diffie-Hellman is used within IKE to establish session keys and is a component of Oakley.
Internet Security Association and Key Management Protocol—See ISAKMP.
ISAKMP—Internet Security Association and Key Management Protocol. A protocol framework that defines the mechanics of implementing a key exchange protocol and negotiation of a security policy.
Oakley—A key exchange protocol that defines how to acquire authenticated keying material. The basic mechanism for Oakley is the Diffie-Hellman key exchange algorithm.
perfect forward secrecy—See PFS.
PFS—perfect forward secrecy. PFS ensures that a given key of an IPSec security association was not derived from any other secret (like some other keys). In other words, if someone were to break a key, PFS ensures that the attacker would not be able to derive any other key. If PFS were not enabled, someone could hypothetically break the IKE SA secret key, copy all the IPSec-protected data, and then use knowledge of the IKE SA secret to compromise the IPSec SAs set up by this IKE SA. With PFS, breaking IKE would not give an attacker immediate access to IPSec. The attacker would have to break each IPSec SA individually. Cisco IOS IPSec implementation uses PFS group 1 (DH 768 bit) by default.