Huawei v200r001 User Manual

User Manual - Configuration Guide  (Volume 3)
Versatile Routing Platform

Configuration of IKE

5-1

IKE, an Internet key exchange protocol, implements hybrid protocol of both Oakley and
SKEME key exchanges in ISAKMP network. This protocol defines standards for
automatically authenticating IPSec peer end, negotiating security service and
generating shared key, and provide services such as automatic key exchange
negotiation and security association creation, thus simplifying the use and
management of IPSec.

IKE has a set of self-protection mechanism, which enables to securely deliver keys,
authenticate ID and establish IPSec secure association in insecure network.

IKE uses ISAKMP at two stages:
z  The first stage is to negotiate to create a communication channel and authenticate

it, as well as to provide confidentiality, message integrity and message source
authentication services for further IKE communication between both parties.

z  The second stage is to use the created IKE SA to create IPSec SA.

The following figure shows the relationship between IKE and IPSec.

TCP/UD

P

IPSec

IKE

IKE

IPSec

TCP/UDP

SA

SA

SA negotiation

Encrypted IP message

IP

Router

Router B

Figure SC-5-1  Diagram of relationship between IKE and IPSec

z  Avoid specifying manually all IPSec security parameters in password mapping of

both communication ends.

z  Allow specifying the lifetime of IPSec SA
z  Allow exchanging ciphering key during IPSec session
z  Allow IPSec to provide anti-replay service
z  Allow manageable and scalable IPSec to implement certificate authorization

support.

z  Allow dynamic end-to-end authentication.