A key exchange policy is required by IKE to provide dynamic key management. The policy contains the definitions about how the negotiation of keys is to be performed (using IKEv1 or IKEv2), how the negotiations are to be protected, and which hosts are allowed to negotiate keys. The absence of a key exchange policy is not considered an error, but without it, the IKE daemon is unable to provide dynamic key management.
A key exchange policy consists of an ordered list of key exchange rules. A key exchange rule consists of a set of security endpoints, and an action to be taken when the two security endpoints engage in an IKE phase 1 negotiation.
Optionally, a key exchange rule can contain a shared key known only to the two negotiating entities that are described in the rule. When an IKE negotiation is initiated, the current list of key exchange rules is searched for a match, based on four criteria:
The following sample KeyExchangeRule block allows an IKE negotiation between IKE daemons at 9.2.2.2 and 9.4.4.4. A description of each line in the sample follows the sample.
1 KeyExchangeRule ZoneB_KeyExRule1
2 {
3 LocalSecurityEndpoint
4 {
5 Identity IpAddr 9.2.2.2
6 Location 9.2.2.2
7 }
8 RemoteSecurityEndpoint
9 {
10 Identity X500dn CN=ZoneB Cert,T=IKE ServerB,OU=endicott,O=ibm,C=US
11 Location 9.4.0.0/16
12 CaLabel CA4endicott
13 }
14 KeyExchangeActionRef Gold-RSA
15 SharedKey Ascii TheEagleHasLanded
16 }
KeyExchangeAction Gold-RSA
{
HowToInitiate main
HowToRespondIKEv1 main
KeyExchangeOffer
{
HowToEncrypt 3DES
HowToAuthMsgs SHA1
HowToAuthPeers RsaSignature
}
}
The KeyExchangeAction statement specifies the detailed
parameters that govern a phase 1 negotiation between these two security
endpoints, such as who can begin the negotiation and what type of
encryption is used.