IKEv2 Security Association Configuration Mode Commands


IKEv2 Security Association Configuration Mode Commands
 
 
The IKEv2 Security Association Configuration Mode is used to configure a Security Association at the outset of an IPsec session. A security association is the collection of algorithms and parameters (such as keys) that is being used to encrypt and authenticate a particular flow in one direction. In normal bi-directional traffic, the flows are secured by a pair of security associations.
 
Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
 
default
Sets the default properties for the selected parameter.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
default { encryption | group | hmac | lifetime | prf }
default { encryption | group | hmac | lifetime | prf }
Set the defaults for the following parameters:
encryption: Default algorithm for the IKEv2 IKE SA is AES-CBC-128
group: Default Diffie-Hellman group is Group 2
hmac: Default IKEv2 IKE SA hashing algorithm is SHA1-96
lifetime: Default lifetime for SAs derived from this transform-set is 86400 seconds.
prf: Default PRF for the IKEv2 IKE SA is SHA1.
Usage
Configure default parameters for the IKEv2 IKE SA transform-set.
Example
Use the following configuration to set the default encryption algorithm:
default encryption
 
encryption
Configure the appropriate encryption algorithm and encryption key length for the IKEv2 IKE security association. AES-CBC-128 is the default.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
encryption { 3des-cbc | aes-cbc-128 | aes-cbc-256 | des-cbc }
default encryption
3des-cbc
“Triple DES.” Data Encryption Standard Cipher Block Chaining encryption applied to the message three times using three different cypher keys.
aes-cbc-128
Advanced Encryption Standard Cipher Block Chaining with a key length of 128 bits.
This is the default setting for this command.
aes-cbc-256
Advanced Encryption Standard Cipher Block Chaining with a key length of 256 bits.
des-cbc
Data Encryption Standard Cipher Block Chaining. Encryption using a 56-bit key size. Relatively insecure.
Usage
IKEv2 requires a confidentiality algorithm to be applied in order to work.
In cipher block cryptography, the plaintext is broken into blocks usually of 64 or 128 bits in length. In cipher block chaining (CBC) each encrypted block is chained into the next block of plaintext to be encrypted. A randomly-generated vector is applied to the first block of plaintext in lieu of an encrypted block. CBC provides confidentiality, but not message integrity.
Because RFC 4307 calls for interoperability between IPsec and IKEv2, the IKEv2 confidentiality algorithms must be the same as those configured for IPsec in order for there to be an acceptable match during the IKE message exchange. Because of RFC4307, in IKEv2, there is no viable NULL option, it is available for testing only.
Example
The following command configures the encryption to be the default aes-cbc-128:
default encryption
 
end
Exits the current mode and returns to the Exec Mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Change the mode back to the Exec Mode.
 
exit
Exits the current mode and returns to the previous mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Returns to the previous mode.
 
group
Configure the appropriate key exchange cryptographic strength by applying a Diffie-Hellman group. Default is Group 2.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
group { 1 | 2 | 5 | 14 }
default group
1
Configures crypto strength at the Group 1 level. Lowest security.
2
Configures crypto strength at the Group 2 (default) level. Medium security.
This is the default setting for this command.
5
Configures crypto strength at the Group 5 level. Higher security.
14
Configures crypto strength at the Group 14 level. Highest security
Usage
Diffie-Hellman groups are used to determine the length of the base prime numbers used during the key exchange process in IKEv2. The cryptographic strength of any key derived depends, in part, on the strength of the Diffie-Hellman group upon which the prime numbers are based.
Group 1 provides 768 bits of keying strength, Group 2 provides 1024 bits, Group 5 provides 1536 bits and Group 14 provides 2048 bits of encryption strength.
Configuring a DH group also enables Perfect Forward Secrecy, which is disabled by default.
Example
This command configures security at the default level (Group 2):
default group
 
hmac
Configures the IKEv2 IKE SA integrity algorithm. Default is SHA1-96.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
hmac { md5-96 | sha1-96 }
default hmac
md5-96
HMAC-MD5 uses a 128-bit secret key and produces a 128-bit authenticator value.
sha1-96
HMAC-SHA-1 uses a 160-bit secret key and produces a 160-bit authenticator value. This is the default setting for this command.
Usage
IKEv2 requires an integrity algorithm be configured in order to work.
A keyed-Hash Message Authentication Code, or HMAC, is a type of message authentication code (MAC) calculated using a cryptographic hash function in combination with a secret key to verify both data integrity and message authenticity. A hash takes a message of any size and transforms it into a message of a fixed size: the authenticator value. This is truncated to 96 bits and transmitted. The authenticator value is reconstituted by the receiver and the first 96 bits are compared for a 100 percent match.
Because RFC 4306 calls for interoperability between IPsec and IKEv2, the IKEv2 integrity algorithms must be the same as those configured for IPsec in order for there to be an acceptable match during the IKE message exchange.
Example
The following command configures the default HMAC value (SHA1-96):
default hmac
 
lifetime
Configure the lifetime of a security association (SA) in seconds. Default timeout time is 86400 seconds
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
lifetime sec
default lifetime
lifetime sec
Default: 86400
Sets the value of the timeout parameter. sec must be an integer from 60 - 86400.
Usage
The secret keys that are used for various aspects of a configuration should only be used for a limited amount of time before timing out. This exposes a limited amount of data to the possibility of hacking. If the SA expires, the options are then to either close the SA and open an new one, or renew the existing SA.
Example
The following command sets the lifetime timeout to be the default value (86400):
default lifetime
 
prf
Select one of the HMAC integrity algorithms to act as the IKE Pseudo-Random Function. A PRF produces a string of bits that an attacker cannot distinguish from random bit string without knowledge of the secret key.The default is SHA1.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
prf { md5 | sha1 }
default prf
md5
MD5 uses a 128-bit secret key and produces a 128-bit authenticator value.
sha1
SHA-1 uses a 160-bit secret key and produces a 160-bit authenticator value.
SHA-1 is considered cryptographically stronger than MD5, but it takes more CPU cycles to compute.
This is the default setting for this command.
Usage
The prf is used for generating keying material for all the cryptographic algorithms used in both the IKE_SA and the CHILD_SAs.
Example
This configuration sets the prf to be the default value (sha1):
default prf
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883