Creating Encryption Certificates

This section describes how to set up encrypted communication between the Administration Station and the Screen.

The following is a list of limitations and requirements:

• There is a GUI problem on the screen address object that causes the remote admin rule to use the wrong address, which forces you to fix the addr.

• There is a fragmentation issue on locally generated packets that also affects the remote administrative Screen or remote Administration Station, which forces you to change the screen admin interface mtu to 1400.

• Clean the state using statetables -f, -fs on both systems.

• When temporary kmcookies files are touched, the compiler used in a stealth system does not generate the IKE configuration, which forces you to manually create an IKE configuration file.

After installing the appropriate software on both systems, create the IKE self-generated certificates on the systems as described in the following sections.

To Create Certificates on the Administration Station

1. When using IKE self-generated certificates, after installing the appropriate SunScreen software on both Screens, create the certificates on the systems (see "To Create SKIP UDH Key and Certificates").

2. When using SKIP UDH keys and certificates to encrypt the communication between the Administration Station and the Screen (see "To Create SKIP UDH Key and Certificates").

3. When using SKIP CA-issued private keys and certificates (see "To Load SKIP CA-Issued Private Key and Certificates").

To Create Remote Administration Screen IKE Self-Generated Certificates

1. On the Remote Administrative Screen, create the IKE self-generated certificate by typing:

   # ssadm certlocal -Iks -m 512 -t rsa-md5 -D "C=US, O=YOUR_ORG, CN=admin_name"

2. Export the administrative Screen's certificate to a file by typing:

   # ssadm certdb -I -e "C=US, O=YOUR_ORG, CN=admin_name" > /tmp/admin_cert

3. Import the firewall Screen's certificate by typing:

   # ssadm certdb -I -a < /tmp/screen_cert then, using ssadm edit edit > add certificate admin_cert SINGLE IKE "C=US, O=SUN, CN=admin_name" edit > add certificate screen_cert SINGLE IKE "C=US, O=SUN, CN=screen_name"

4. Add a packet filter rule like the following:

   1 "remote administration" "admin_address" "screen_address" IPSEC ESP("DES-CBC", "MD5") AH("SHA1") IKE("DES-CBC", "MD5", 1, RSA-SIGNATURES, "admin_cert", "screen_cert") ALLOW

   See "Packet Filtering Rules" in SunScreen 3.2 Administration Guide.

5. Mark the Screen's certificate as trusted by typing:

   > add member certificate "IKE manually verified certificates" "screen_cert"

6. Activate the policies.

To Create the Firewall Screen's IKE self-Generated Certificate

1. On the firewall Screen, create the IKE self-generated certificate by typing:

   # ssadm certlocal -Iks -m 512 -t rsa-md5 -D "C=US, O=YOUR_ORG, CN=screen_name"

2. Export the firewall Screen's IKE certificate to a file by typing.

   # ssadm certdb -I -e "C=US, O=YOUR_ORG, CN=screen_name" > /tmp/screen_cert

3. Import the administrative Screen's certificate by typing.

   # ssadm certdb -I -a < /tmp/admin_cert then using ssadm edit edit > add certificate admin_cert SINGLE IKE "C=US, O=SUN, CN=admin_name" edit > add certificate screen_cert SINGLE IKE "C=US, O=SUN, CN=screen_name"

4. Add the administrative Screen's IP address to address object.

5. Add the administrative Screen as a screen object and allow routing traffic and naming service.

6. Edit the firewall Screen's screen object by selecting the primary/secondary tab and making the remote administrative Screen's IP address the administrative IP address in the IKE administrative certificate field, and add the firewall Screen's certificate.

7. Mark the administrative certificate as trusted by typing:

   > add member certificate "IKE manually verified certificates" "admin_cert"

8. Add a remote add rule by selecting the administrative access tab and under Access rules for remote administration table, click the add new rule button.

   screen: screen name address object: remote admin address user: admin access level: all encryption: IPSEC IKE

9. Select the one algorithm that matches the packeting filtering rule on the remote firewall Screen's source certificate: screen cert.

10. Click on the Options tab, source screen: screen name.

    When finished, you should have a remote access rule like the following:

    1 SCREEN "screen_name" USER "admin" "admin_addr" IPSEC ESP("DES-CBC", "MD5") AH("SHA1") IKE("DES-CBC", "MD5", 1, RSA-SIGNATURES, "screen_cert") PERMISSION ALL

    ---

    Note -

    No packet filtering rule is required on the firewall Screen.

    ---

11. Activate the policies.

The following command-line interface examples demonstrate how to use the SunScreen command line to use IKE in this release:

• To find instructions on adding an IPsec key, see "IPsec Key" in the SunScreen 3.2 Administration Guide.

• To find instructions on creating, importing, and exporting IKE certificates and pre-shared keys, see "Certificate Objects" in the SunScreen 3.2 Administration Guide.

• Also, to find an example of an encryption scenario that uses IKE, see "Setting Up Remote Administration with IKE" in the SunScreen 3.2 Configuration Examples manual.

To Use IPses Manual Keying

The following is an example of adding manual IPsec rules:

1. Add manual keys on both Screens using ssadm edit or the administration GUI.

   edit> add key "key_des" SINGLE "1234567812345678" edit> add key "key_ah" SINGLE "1234567890abcdef1234567890abcdef"

2. Add rules like the following using keys added on both Screens.

   1. On Screen1:

      1 "telnet" "screen1_host" "screen2_host" IPSEC ESP(0x123, "DES-CBC", "key_des") AH(0x345, "MD5", "key_ah") SOURCE_SCREEN "screen1" ALLOW 2 "telnet" "screen2_host" "screen1_host" IPSEC ESP(0x123, "DES-CBC", "key_des") AH(0x345, "MD5", "key_ah") DESTINATION_SCREEN "screen1" ALLOW

   2. On Screen2:

      1 "telnet" "screen2_host" "screen_host1" IPSEC ESP(0x123, "DES-CBC", "key_des") AH(0x345, "MD5", "key_ah") SOURCE_SCREEN "screen2" ALLOW 2 "telnet" "screen1_host" "screen2_host" IPSEC ESP(0x123, "DES-CBC", "key_des") AH(0x345, "MD5", "key_ah") DESTINATION_SCREEN "screen2" ALLOW

   The hex values 0x123, 0x345 are spi values and are between 0x000 and 0xFFF. If you choose different algorithms like 3DES-CBC or SHA1, you must define manual keys of the proper length. In hex strings, the lengths are respectively.

   • DES-CBC 16

   • 3DES-CBC 48

   • MD5 32

   • SHA1 40

3. Save and activate the policy.

To Use IKE Rules With Pre-Shared Key

1. Add the pre-shared secret key on both Screens.

   edit> add key "shared-secret" SINGLE "shared_secret"

2. Add rules like the following using keys added on both Screens.

   • On Screen1:

     1 "telnet" "screen1_host" "screen2_host" IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, PRE-SHARED, "shared-secret") SOURCE_SCREEN "screen1" ALLOW 2 "telnet" "screen2_host" "screen1_host" IPSEC IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, PRE-SHARED, "shared-secret") DESTINATION_SCREEN "screen1" ALLOW

   • On Screen2:

     1 "telnet" "screen2_host" "screen1_host" IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, PRE-SHARED, "shared-secret") SOURCE_SCREEN "screen2" ALLOW 2 "telnet" "screen1_host" "screen2_host" IPSEC IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, PRE-SHARED, "shared-secret") DESTINATION_SCREEN "screen2" ALLOW

3. Save and activate policy.

To Use Windows 2000 to Communicate With Solaris SunScreen Using an IKE Pre-Shared Key

The following procedure describes how to configure IPSEC and IKE on a windows 2000 system.

1. Start MMC console: start, run, and type mmc.

   MMC console menu appears.

2. Select Add/Remove snap-in (Ctrl+m).

3. Under Add/Remove snap-in window, click on Add.

4. Scroll down and select IP Security Policy Management, and click on Add.

   The Select Computer window appears.

5. In the Select Computer window, click Finish, then click Close to close the Add standalone snap-in window.

6. On the Add/Remove snap-in window, click OK to close it.

   The original Console Root window reappears.

7. In the Console Root window, select IP Security Policies on Local Machine.

8. Click the menu (right) mouse button to bring up a menu where you select Create IP Security Policy.

   The IP Security Policy Wizard window appears.

9. In the IP Security Policy Wizard window, click Next to continue.

   The IP Security Policy Name window appears.

10. In the IP Security Policy Name window, fill in the name of the policy you want, and click Next to continue.

    The Request for Secure Communication appears.

11. In the Request for Secure Communication window, click Next to continue.

    The Default Response Rule Authentication Method window appears.

12. In the Default Response Rule Authentication Method window, select Use this string ... and enter 'ABCEFGHI' in the field, and click Next, then click Finish.

    The Mypolicy Properties with the Rules panel appears.

    ---

    Note -

    The pre-shared key used on SunScreen is 4142434445464748, hence on windows it maps to 'ABCEFGHI.'

    ---

13. In the Mypolicy Properties window, click on Add.

    The Security Rule Wizard window appears.

14. In the Security Rule Wizard window, click Next to continue.

    The Tunnel Endpoint window appears.

15. Do not change the Tunnel Endpoint window, except to click on Next to continue.

    The Network Type window appears.

16. Do not change the Network Type window, except to click on Next to continue.

    The Authentication Method window appears.

17. In the Authentication Method window, select Use this string ... and enter 'A' in the field, and click Next to continue.

    The IP Filter List window appears.

18. In the IP Filter List window, click Add to bring up the next window in which you enter the name of the filter.

19. Under the Name field, enter the name of the IP filter you want and click Add.

    The IP Filter Wizard window appears. Click Next.

20. In the IP Filter Wizard window, click Next to continue.

    The IP Traffic Source window appears.

21. Leave the IP Traffic Source window set to 'my IP address,' and click Next to continue.

    The IP Traffic Destination window appears.

22. In the IP Traffic Destination window, select a specific IP address from the pull-down menu and fill in the IP address of the host with which you want to establish a transport path, and click Next to continue.

    The IP Protocol Type window appears.

23. Do not change the IP Protocol Type window, except to click on Next to continue.

24. Then, in the IP Protocol Type window, click Finish.

25. Then, in the IP Protocol Type window, click Close.

    The IP Filter List window appears with the filter you just added listed.

26. In the IP Filter List window, enter the name of the IP filter you want and click Next to continue.

    The Filter Action window appears.

27. In the Filter Action window, select Require Security and click Next to continue.

    The last window of the Security Rule Wizard appears. Click Next

28. In this last window of the Security Rule Wizard, click Next to continue.

    The Mypolicy Properties window appears with both myfilter and Dynamic selected under the IP Filter List.

29. In the Mypolicy Properties window, deselect Dynamic and click Close.

    The original Console Root window appears.

30. In the Console Root window, select the entry IP security on Local Machine showing on the left panel under the console root tree.

31. Select the mypolicy entry that shows in the right side of the window.

    Right Click. And Select Assign. Now the policy will become assigned. On window 2K, only one policy can be assigned at one time.

The above completes setting up an IPSEC policy on win2K, using IKE with pre-shared key 'A' to setup an transport mode protected path between win2K machine, and SunScreen protected machine.

To Generate IKE Rules With Self-Generated Certificates

1. Generate certificates or private keys on both Screens using ssadm certlocal:

   1. On Screen1:

      # ssadm certlocal -Iks -m 512 -t rsa-md5 -D "C=US,O=YourOrg, CN=screen1_name"

   2. On Screen2:

      # ssadm certlocal -Iks -m 512 -t rsa-md5 -D "C=US,O=YourOrg, CN=screen2_name"

2. Export the certificates to the other Screen.

   1. On Screen1:

      # ssadm certdb -I -e "SUBJECT=C=US, O=YourOrg, CN=screen1_name" > /tmp/cert1

   2. On Screen2:

      # ssadm certdb -I -e "SUBJECT=C=US, O=YourOrg, CN=screen2_name" > /tmp/cert2

3. Securely transport the file /tmp/cert1 to the Screen1 and /tmp/cert2 to Screen2.

4. Import the exported certificate to the Screen certificate database.

   1. On Screen2:

      # ssadm certdb -I -a < /tmp/cert1

   2. On Screen1:

      # ssadm certdb -I -a < /tmp/cert2

5. Add Certificate objects on both systems:

   > add certificate "screen1_cert" SINGLE IKE "C=US, O=YourOrg,CN=screen1_name" > add certificate "screen2_cert" SINGLE IKE "C=US, O=YourOrg,CN=screen2_name"

6. Mark the certificate you imported in Steps 3 and 4 as trusted on both systems using ssadm edit:

   1. On Screen1:

      > add member certificate "IKE manually verified certificates" "screen2_cert"

   2. On Screen 2:

      > add member certificate "IKE manually verified certificates" "screen1_cert"

      ---

      Note -

      The Group name "IKE manually verified certificates" is reserved for a trusted Certificate Group.

      ---

7. Add Packet Filtering rules on both Screens.

   1. On Screen1:

      1."telnet" "screen1_host" "screen2_host" IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, RSA-SIGNATURES, "screen1_cert", "screen2_cert") ALLOW 2 "telnet" "screen2_host" "screen1_host" IPSEC IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, RSA-SIGNATURES, "screen2_cert", "screen1_cert") ALLOW

   2. On Screen2:

      1."telnet" "screen2_host" "screen1_host" IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, RSA-SIGNATURES, "screen2_cert", "screen1_cert") ALLOW 2 "telnet" "screen1_host" "screen2_host" IPSEC IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, RSA-SIGNATURES, "screen1_cert", "screen2_cert") ALLOW

8. Save and activate the policy.

   Refer to the man page of ssadm-certlocal(1M) and ssadm-certdb(1M) for more information.

To Generate IKE Rules With Issued Certificates

1. Generate keys and certificate requests on each Screen.

   1. On Screen1:

      # ssadm certlocal -Ikc -m 512 -t rsa-md5 -D "C=US, O=YourOrg,CN=screen1_issued"

   2. On Screen2:

      # ssadm certlocal -Ikc -m 512 -t rsa-md5 -D "C=US, O=YourOrg,CN=screen2_issued"

2. Bring the requests to a certificate server and have them signed. You receive three certificate files from the CA:

   • screen1_issued.cert: screen1's cert

   • screen2_issued.cert: screen2's cert

   • root.cert: the CA's cert

   Further detailed instructions on this step depends on your certificate server.

3. Securely transport the files to each machines under /tmp and import them. Import three certificates on each Screen:

   # ssadm certdb -I -a < /tmp/screen1_issued.cert # ssadm certdb -I -a < /tmp/screen2_issued.cert # ssadm certdb -I -a < /tmp/root.cert

   In this example, assume you are using a certificate server with CA 's subject DN = "C=US, O=YourOrg.com, OU=sunscreen, CN=Certificate Manager".

4. Add Certificate objects on each Screen and mark the root CA as trusted. On each Screen:

   edit> add certificate root_cert SINGLE IKE "C=US, O=YourOrg.com, OU=sunscreen, CN=Certificate Manager" edit> add certificate screen2_issued_cert SINGLE IKE "C=US, O=YourOrg, CN=screen2_issued" edit> add certificate screen1_issued_cert SINGLE IKE "C=US, O=YourOrg, CN=screen1_issued" edit> add_member certificate "IKE root CA certificates" root_cert

   ---

   Note -

   The Group name "IKE root CA certificates" is reserved for a trusted Certificate Group.

   ---

5. Add Packet Filtering rules on both Screens.

   1. On Screen1:

      1."telnet" "screen1_host" "screen2_host" IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, RSA-SIGNATURES, "screen1_issued_cert", "screen2_issued_cert") ALLOW 2 "telnet" "screen2_host" "screen1_host" IPSEC IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, RSA-SIGNATURES, "screen2_issued_cert", "screen1_issued_cert") ALLOW

   2. On Screen2:

      1."telnet" "screen2_host" "screen1_host" IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, RSA-SIGNATURES, "screen1_issued_cert", "screen2_issued_cert") ALLOW 2 "telnet" "screen1_host" "screen2_host" IPSEC IPSEC ESP("DES-CBC") IKE("DES-CBC", "MD5", 2, RSA-SIGNATURES, "screen2_issued_cert", "screen1_issued_cert") ALLOW

6. Save and activate the policy.

To Install a Remote Administration Station Using IKE

These instruction apply to using SunScreen on a Solaris-based system only. Because the Solaris operating environment does not yet support IKE, there is no built-in facility for generating IKE certificates on a remote Administration Station. So, you must install the Screen packages as well as the administration packages on your system.

1. On the Screen

   1. Install the full Screen software Create self-generated screen certificate using the GUI, or use the command line editor, as follows:

      # ssadm certlocal -Iks -m 512 -t rsa-md5 -D "C=US, O=YOUR_ORG, CN=screen_name"

   2. Export the Screen certificate to a file using the GUI, or the command line editor:

      # ssadm certdb -Ie "C=US, O=YOUR_ORG, CN=screen_name" > /tmp/screen_cert

   3. Import Administration Station certificate using the GUI, or the command line editor and add the Certificate objects into the SunScreen configuration:

      # ssadm certdb -Ia < /tmp/admin_cert

   4. Mark the administrative certificate as trusted and edit the SunScreen policy for certificates.

      # ssadm edit edit> add certificate admin_cert SINGLE IKE "C=US, O=YourOrg, CN=admin_name" edit> add certificate screen_cert SINGLE IKE "C=US, O=YourOrg, CN=screen_name" edit> add member certificate "IKE manually verified certificates" "admin_cert" edit> add address admin_addr HOST edit> add accessremote USER "admin" "admin_addr" IPSEC ESP ("DES-CBC", "MD5") AH ("SHA1") IKE("DES-CBC", "MD5", 1, RSA-SIGNATURES, "screen_cert") PERMISSION ALL SCREEN "screen_name" edit> add screen "screen_name" ADMIN_IP "admin_addr" IKE(screen_cert) RIP

      ---

      Note -

      No packet filtering rule is required on the Screen.

      ---

   5. Save and activate policy.

2. On the Remote Administration Station

   1. Install the full Screen software

   2. Create a self-generated Screen Certificate:

      # ssadm certlocal -Iks -m 512 -t rsa-md5 -D "C=US, O=YOUR_ORG, CN=admin_name"

   3. Export the Administration Certificate to a file using the GUI or use the command line editor as follows:

      # ssadm certdb -Ie "C=US, O=YOUR_ORG, CN=admin_name" > /tmp/admin_cert

   4. Import Screen Certificate using the GUI or command line editor:

      # ssadm certdb -I -a < /tmp/screen_cert

   5. Edit the SunScreen policy for certificates:

      # ssadm edit edit> add certificate admin_cert SINGLE IKE "C=US, O=YourOrg, CN=admin_name" edit> add member certificate "IKE manually verified certificates" "admin_cert" edit> add certificate screen_cert SINGLE IKE "C=US, O=YourOrg, CN=screen_name" edit> add address admin_addr HOST edit> add address screen_addr HOST

   6. Add a packet filter rule like the following:

      edit> add rule "remote administration" "admin_addr" "admin_addr" IPSEC ESP("DES-CBC", "MD5") AH("SHA1") IKE("DES-CBC", "MD5", 1, RSA-SIGNATURES, "admin_cert", "screen_cert") ALLOW

   7. Save and activate the policy.

      Unless you have just done a fresh SunScreen install, clear the state and SADB using ssadm lib/statetables -fs on both systems.

      ---

      Note -

      There is a problem on stealth Administration Stations using IKE where the compiler does not generate the IKE configuration, which forces you to manually create an IKE configuration file.

      ---

To Create SKIP UDH Key and Certificates

The SKIP command to run on the Administration Station is displayed at the end of the AdminSetup.readme file, which is found in the /etc/sunscreen directory. Write this command down for use in the following procedure.

If you trust that the network between the Screen and the Administration Station is secure, you can use ftp to send the AdminSetup.readme file, which contains the identitydb.obj file, from the Screen to the Administration Station. This saves you the task of writing down the information that is required in the next procedure. To find information regarding creating SKIP UDH key and certificates, see "To Distribute the identitydb.obj File" in the SunScreen 3.2 Administration Guide.

1. Open a terminal window and create the required SKIP directories by typing:

   # skiplocal -i

2. Create the SKIP UDH key and certificate on the Administration Station by typing:

   # skiplocal -k -f -V

   The local certificate ID appears. It is the Administration Station's 32-character certificate ID (MKID).

3. Write down the certificate ID, which begins with `Ox.'

4. Add SunScreen SKIP to all the interfaces by typing:

   # skipif -a

5. Reboot to complete the installation by typing:

   # sync; init 6

The Administration Station's certificate ID has been generated. You next move to the Screen to install the SunScreen 3.2 software.

To Load SKIP CA-Issued Private Key and Certificates

The SKIP command to run on the Administration Station is displayed at the end of the AdminSetup.readme file, which is found in the /etc/sunscreen directory. Write this command down for use in the following procedure.

If you trust that the network between the Screen and the Administration Station is secure, you can use ftp to send the AdminSetup.readme file, which contains the identitydb.obj file, from the Screen to the Administration Station. This saves you the task of writing down the information that is required in the next procedure. (See "To Distribute the identitydb.obj File" in SunScreen 3.2 Administration Guide.

For this procedure, you need your SKIP CA-Issued Private Key and Certificate diskette.

1. Open a terminal window on your system and become root, if not already.

2. Load the required SKIP directories by typing:

   # skiplocal -i

3. Insert the SKIP CA-Issued Key and Certificate diskette into your system's diskette drive.

4. Install the SKIP keys by typing:

   # install_skip_keys -icg /floppy/floppy0

5. Start the SKIP daemon by typing:

   # skipd_restart

6. Eject the SKIP CA-Issued Key and Certificate diskette by typing:

   # eject floppy0

7. Write down the certificate ID, which is eight characters long.

8. Add SKIP to all the interfaces by typing:

   # skipif -a

9. Reboot to complete the installation by typing:

   # sync; init 6

   The Administration Station's certificate ID has been installed. You next move to the Screen to install the SunScreen 3.2 software.

To Complete the Installation When Using SKIP

To complete the installation when using SKIP for encryption, perform the following steps on the Administration Station.

1. On the Administration Station, open a terminal window and become root.

2. To enable unencrypted communication from the Administration Station to all hosts other than the Screen, type:

   # skiphost -a default

3. Add a rule so that encrypted communication is possible between the Administration Station and the Screen by typing:

   # skiphost command_from_ssadm_configure

   This command is in the AdminSetup.readme file. The command is in the following form, which has been divided into lines for readability:

   skiphost -a name_of_Screen -r NSID_type

   -R Screen's_certificate_ID -s NSID_type

   -S Administration_Station's_certificate_ID

   -k key_encryption_algorithm

   -t data_encryption_algorithm -m MAC_algorithm

4. Turn on SKIP by typing:

   If Screen has only one interface: # skiphost -o on If Screen has more than one interface, for each interface: # skiphost -i name_of_interface -o on

   ---

   Note -

   To display the interfaces, type: ifconfig -a

   ---

5. Save the SKIP settings by typing:

   # skipif -i all -s

6. Restart the SKIP daemon by typing:

   # skipd_restart

   Refer to the SunScreen SKIP User's Guide, Release 1.5.1 for more information on operating SunScreen SKIP, if needed.

   ---

   Note -

   After configuring SKIP, check that the encryption parameters and 32-character certificate ID (MKID) values match on both the Administration Station and the Screen.

   ---

7. To configure and manage your Screen from your Administration Station, run a Java-enabled Web browser compliant with JDK 1.1.3 or later, and launch the administration GUI by typing the following URL:

   http://Name_of_Screen:3852/

See the SunScreen 3.2 Administration Guide for instructions on how to use the administration GUI.

Using IKE With SunScreen

The following information describes the IKE syntax and options as well as providing command line examples of policy rules that use IKE. You can also find administration GUI instructions for using IKE in the SunScreen 3.2 Administration Guide. Additionally, see the SunScreen 3.2 Configuration Examplesmanual for examples of using IKE for encryption.

IKE usage within SunScreen has three components:

• The authentication header (AH)

• The encryption header (ESP)

  ---

  Note -

  Either the AH or ESP option can be omitted, but at least one must be present that has within it an authentication option (called a combined transform)

  ---

  In addition, the ESP header has within it an authentication option (called a combined transform).

• (Required) The IKE negotiation

  Possible combinations are:

  • IPSEC AH(authalg1) IKE(...)

  • IPSEC ESP(encralg1) IKE(...)

  • IPSEC ESP(encralg1, authalg2) IKE(...)

  • IPSEC AH(authalg1) ESP(encralg1) IKE(...)

  • IPSEC AH(authalg1) ESP(encralg1, authalg2) IKE(...)

Unlike SKIP syntax, the IPsec and IKE parameter lists use parentheses to contain them.

The possible values for authalgN and encralgN are:

For authalg*:

• MD5

• SHA1

For encralg*:

• DES-CBC

• 3DES-CBC

• AES

• BLOWFISH

• NULL

The NULL algorithm is generally only used for testing because it exercises most of the normal code paths. However, it does not obscure the data; that is, NULL allows what is inside to be easily seen.

The AH and ESP options control the cryptographic means that are used to protect the DATA portions of network traffic. They are functional equivalents of the DATA and MAC algorithms used in SKIP.

The IKE option performs the functional equivalent of the rest of the options in SKIP, including the KEY algorithm and the naming of the certified cryptographic data to be used for configuring and securing the traffic.