Cisco Cisco Packet Data Gateway (PDG) Prospecto
IPSec Network Applications
IPSec for Femto-UMTS Networks ▀
Cisco StarOS IP Security (IPSec) Reference ▄
55
Figure 9.
Figure 9. X.509 Certificate-based Peer Authentication
Table 10.
X.509 Certificate-based Peer Authentication
Step
Description
1
The peer node initiates an IKEv2 exchange with the local node, known as the IKE_SA_INIT exchange, by issuing an
IKE_SA_INIT Request to negotiate cryptographic algorithms, exchange nonces, and perform a Diffie-Hellman
exchange with the local node.
IKE_SA_INIT Request to negotiate cryptographic algorithms, exchange nonces, and perform a Diffie-Hellman
exchange with the local node.
2
The local node responds with an IKE_SA_INIT Response by choosing a cryptographic suite from the initiator’s offered
choices, completing the Diffie-Hellman and nonce exchanges with the peer node. In addition, the local node includes
the list of CA certificates that it will accept in its CERTREQ payload. For successful peer authentication, the
CERTREQ payload must contain at least one CA certificate that is in the trust chain of the peer certificate. At this point
in the negotiation, the IKE_SA_INIT exchange is complete and all but the headers of all the messages that follow are
encrypted and integrity-protected.
choices, completing the Diffie-Hellman and nonce exchanges with the peer node. In addition, the local node includes
the list of CA certificates that it will accept in its CERTREQ payload. For successful peer authentication, the
CERTREQ payload must contain at least one CA certificate that is in the trust chain of the peer certificate. At this point
in the negotiation, the IKE_SA_INIT exchange is complete and all but the headers of all the messages that follow are
encrypted and integrity-protected.
3
The peer node initiates an IKE_AUTH exchange with the local node by including the IDi payload, setting the CERT
payload to the peer certificate, and including the AUTH payload containing the signature of the previous IKE_SA_INIT
Request message (in step 1) generated using the private key of the peer certificate. The authentication algorithm used to
generate the AUTH payload is also included in the AUTH payload. The peer node also includes the CERTREQ payload
containing the list of SHA-1 hash algorithms for local node authentication. For successful server authentication, the
CERTREQ payload must contain at least one CA certificate that is in the trust chain of the peer certificate.
payload to the peer certificate, and including the AUTH payload containing the signature of the previous IKE_SA_INIT
Request message (in step 1) generated using the private key of the peer certificate. The authentication algorithm used to
generate the AUTH payload is also included in the AUTH payload. The peer node also includes the CERTREQ payload
containing the list of SHA-1 hash algorithms for local node authentication. For successful server authentication, the
CERTREQ payload must contain at least one CA certificate that is in the trust chain of the peer certificate.