The following information describes the IKE syntax and options as well as providing command line examples of policy rules that use IKE. You can also find administration GUI instructions for using IKE in the SunScreen 3.2 Administration Guide. Additionally, see the SunScreen 3.2 Configuration Examplesmanual for examples of using IKE for encryption.
IKE usage within SunScreen has three components:
The authentication header (AH)
The encryption header (ESP)
Either the AH or ESP option can be omitted, but at least one must be present that has within it an authentication option (called a combined transform)
In addition, the ESP header has within it an authentication option (called a combined transform).
(Required) The IKE negotiation
Possible combinations are:
IPSEC AH(authalg1) IKE(...)
IPSEC ESP(encralg1) IKE(...)
IPSEC ESP(encralg1, authalg2) IKE(...)
IPSEC AH(authalg1) ESP(encralg1) IKE(...)
IPSEC AH(authalg1) ESP(encralg1, authalg2) IKE(...)
Unlike SKIP syntax, the IPsec and IKE parameter lists use parentheses to contain them.
The possible values for authalgN and encralgN are:
For authalg*:
MD5
SHA1
For encralg*:
DES-CBC
3DES-CBC
AES
BLOWFISH
NULL
The NULL algorithm is generally only used for testing because it exercises most of the normal code paths. However, it does not obscure the data; that is, NULL allows what is inside to be easily seen.
The AH and ESP options control the cryptographic means that are used to protect the DATA portions of network traffic. They are functional equivalents of the DATA and MAC algorithms used in SKIP.
The IKE option performs the functional equivalent of the rest of the options in SKIP, including the KEY algorithm and the naming of the certified cryptographic data to be used for configuring and securing the traffic.