Internet Key Exchange tunnel support
IKE Tunnels are based on the Internet Security Association and Key Management Protocol (ISAKMP)/Oakley standards developed by the IETF. With this protocol, security parameters are negotiated and refreshed, and keys are exchanged securely.
The following types of authentication are supported:
- Preshared key.
- X.509v3 digital certificate signatures.
- On AIX® 6.1 TL 04, or later, IKEv2 supports ECDSA-256 digital certificate signatures as part of the X509v3 authentication method that is based on digital certificates.
The negotiation uses a two-phase approach. Phase 1 authenticates the communicating parties, and specifies the algorithms to be used for securely communicating in phase 2. During phase 2, IP Security parameters to be used during data transfer are negotiated, and security associations and keys are created and exchanged.
The following table shows the authentication algorithms that can be used with the AH and ESP security protocols for IKE tunnel support.
| Algorithm | AH IP Version 4 & 6 | ESP IP Version 4 & 6 |
|---|---|---|
| HMAC MD5 | X | X |
| HMAC SHA1 | X | X |
| DES CBC 8 | X | |
| Triple DES CBC | X | |
| AES CBC (128, 192, 256) | X | |
| ESP Null | X | |
| AES-XCBC-MAC-96 | X | X |
| AES GCM (128, 192, 256) | X | |
| AES GMAC (128, 192, 256) | X | |
| ESP_ENCR_NULL_ AUTH_AES_GMAC | X |