Key exchange policy
A key exchange policy is required by IKE to provide dynamic key management. The policy contains the definitions about how the negotiation of keys is to be performed (using IKEv1 or IKEv2), how the negotiations are to be protected, and which hosts are allowed to negotiate keys. The absence of a key exchange policy is not considered an error, but without it, the IKE daemon is unable to provide dynamic key management.
A key exchange policy consists of an ordered list of key exchange rules. A key exchange rule consists of a set of security endpoints, and an action to be taken when the two security endpoints engage in an IKE phase 1 negotiation.
Optionally, a key exchange rule can contain a shared key known only to the two negotiating entities that are described in the rule. When an IKE negotiation is initiated, the current list of key exchange rules is searched for a match, based on four criteria:
- The identity of the local IKE peer, if known
- The identity of the remote IKE peer, if known
- The location (IP address) of the local IKE peer, if needed to distinguish it or if local identity is not known
- The location (IP address) of the remote IKE peer, if needed to distinguish it or if remote identity is not known
The following sample KeyExchangeRule block allows an IKE negotiation between IKE daemons at 9.2.2.2 and 9.4.4.4. A description of each line in the sample follows the sample.
1 KeyExchangeRule ZoneB_KeyExRule1
2 {
3 LocalSecurityEndpoint
4 {
5 Identity IpAddr 9.2.2.2
6 Location 9.2.2.2
7 }
8 RemoteSecurityEndpoint
9 {
10 Identity X500dn CN=ZoneB Cert,T=IKE ServerB,OU=endicott,O=ibm,C=US
11 Location 9.4.0.0/16
12 CaLabel CA4endicott
13 }
14 KeyExchangeActionRef Gold-RSA
15 SharedKey Ascii TheEagleHasLanded
16 }
- Line
- Description
- 1
- The KeyExchangeRule keyword, followed by a required user-defined name.
- 2
- An open brace ({) marks the beginning of the KeyExchangeRule statement block.
- 3
- The LocalSecurityEndpoint statement identifies a local security endpoint, or local IKE peer.
- 4
- An open brace ({) marks the beginning of the LocalSecurityEndpoint statement block.
- 5
- The identity of the local security endpoint that must match this
rule. This can be one of five types:
- Fqdn
- IpAddr
- KeyID
- UserAtFqdn
- X500dn
- 6
- The IP address of the local IKE peer.
- 7
- A close brace (}) marks the end of the LocalSecurityEndpoint statement block.
- 8
- The RemoteSecurityEndpoint statement identifies a remote security endpoint, or remote IKE peer. The RemoteSecurityEndpoint statement can also be used to define a related group of remote IKE peers by using wildcard values for identity and location.
- 9
- An open brace ({) marks the beginning of the RemoteSecurityEndpoint statement block.
- 10
- The identity of the remote security endpoint that must match this
rule. This can be one of five types:
- Fqdn
- IpAddr
- KeyID
- UserAtFqdn
- X500dn
- 11
- The IP subnetwork that defines a group of remote IKE peers.
- 12
- Used only for digital signature peer authentication. Specifies the certificate authority that is advertised to the remote security endpoint as an acceptable authority. The value for this parameter must be the label of a certificate authority that is defined in RACF®. The CaLabel parameter can be specified multiple times.
- 13
- A close brace (}) marks the end of the RemoteSecurityEndpoint statement.
- 14
- A reference to a key exchange action that has been defined elsewhere,
in either the common or the stack-specific IP security configuration
file, as follows:
The KeyExchangeAction statement specifies the detailed parameters that govern a phase 1 negotiation between these two security endpoints, such as who can begin the negotiation and what type of encryption is used.KeyExchangeAction Gold-RSA { HowToInitiate main HowToRespondIKEv1 main KeyExchangeOffer { HowToEncrypt 3DES HowToAuthMsgs SHA1 HowToAuthPeers RsaSignature } }
- 15
- An optional shared key used only for pre-shared key host authentication.
- 16
- A close brace (}) marks the end of the KeyExchangeRule statement block.