Negotiation modes, Ike security mechanism, Ike exchange phases – Panasonic 8000 User Manual

Nortel Secure Router 8000 Series
Troubleshooting - VAS__________

2 IPSec and IKE troubleshooting

- Message Digest 5 (MD5) enters a message of any length and generates a 128-bit

message summary.

- Secure Hash Algorithm (SHA-1) enters a message less than 2

64

bits and generates a

160-bit message summary.

The SHA-1 summary is longer than that of MD5; therefore, using SHA-1 is safer than
using MD5.

Encryption algorithms

ESP can encrypt an IP packet to prevent disclosure of the packet contents during
transmission. The encryption algorithm is implemented through a symmetric key system.
Data is encrypted or decrypted with the same key. IPSec uses two types of encryption
algorithms:

- DES encrypts 64-bit clear text by using a 56-bit key.

- 3DES encrypts clear text by using three 56-bit DES keys (168-bit key).

The 3DES encryption algorithm is safer than DES; however, 3DES data encryption
speed is slower.

Negotiation modes

There are two negotiation modes for setting up an SA:

•

Manual mode (manual): All information about the SA must be configured manually.
This mode does not support some advanced IPSec features, such as updating shared keys
at specific intervals. Manual mode can, however, implement IPSec independent of IKE.

•

IKE autonegotiation mode (isakmp): This mode is easier because the SA can be set up
and maintained through the IKE security policies.

IKE security mechanism

The IKE security mechanisms are as follows:

•

Diffie-Hellman (DH) exchange and shared key distribution: DH is a public shared key
algorithm. The two parties can exchange some data and then calculate the shared key
instead of exchanging shared keys directly.

•

Perfect Forward Secrecy (PFS): Indicates that one breached password does not affect
other keys because they have no derivation relationship. This feature is implemented by
adding shared key exchange to Phase 2 IKE negotiation.

•

Authentication: Identifies two communication parties.

•

Protection: Protects authentication data by encrypting them with shared keys.

IKE exchange phases

IKE implements IPSec shared key negotiation and sets up an SA in two phases:

•

Phase 1: Create a security tunnel that passes the authentication between two
communication parties. In addition, set up an ISAKMP SA, also called an IKE SA.

•

Phase 2: Set up IPSec SA setup negotiation on the created security tunnel to ensure
secure IP data transmission.

IKE negotiation modes

In Phase 1, IKE has two negotiation modes:

Issue 01.01 (30 March 2009)

Nortel Networks Inc.

2-5