IKE Options

IKE options have the form:

IKE(encralg2, authalg3, oakleygroup, PRE-SHARED, presharedkey)

or

IKE(encralg2, authalg3, oakleygroup, authmethod, srcidentity, dstidentity)

The above syntax is that used in policy rules. In the contexts of AccessRemote, Screen, and VPNgateway objects, the syntax does not allow the PRE-SHARED formulation, the srcidentity is the local Screen's identity, and there is no dstidentity value.

For IKE, the parameters given determine the mechanisms to be used to validate signed security items, and the algorithms and parameters to be used to negotiate keys and other interactions which precede the actual transmission of data. (In IKE parlance, this is called the "phase 1" negotiation; "phase 2" is the use of the negotiated key to secure the client data.)

The lists for encralg2 and authalg3 are the same as for AH and ESP (see the third component listed for IKE usage within SunScreen).

The oakleygroup parameter represents a Diffie-Hellman Group. That parameter controls the type of cryptographic mathematics to be used in key generation. These are given as single-digit numbers. SunScreen supports:

• 1 - 768-bit Diffie-Hellman modulus

• 2 - 1024-bit Diffie-Hellman modulus

• 5 - 1680-bit Diffie-Hellman modulus

The authmethod determines how the certified key items (for example, certificates) are to be validated. The current values are:

• DSS-SIGNATURES

• RSA-SIGNATURES

• RSA-ENCRYPTION

• PRE-SHARED

IKE Certificates

SINGLE IKE certificates contain a matching pattern, or even a portion of a matching pattern, that is evaluated as needed by the IKE software. IKE certificates have a variety of naming methodologies, among them DNS names of hosts, mailbox names of users (which contain DNS names), IP addresses (both V4 and V6), and X.500 composite names.

IKE certificate groups are also dissimilar from SKIP groups. In IKE, a certificate group is defined in a manner similar to that of SunScreen address objects (with some restrictions). The IKE certificate group is really just a mechanism for expressing composite names (complex patterns).

The restrictions on IKE certificate groups relate to the context in which their exclusion lists can be used. Only a top-most IKE certificate group can use exclusions; all other groups can only contain inclusions. This restriction helps avoid various bizarre naming situations that might otherwise arise.

Pre-Shared Option

The PRE-SHARED option is a degenerate key certification mechanism. This option indicates that a manual key has been defined out-of-band between the peer systems, and that key requires no further validation. It differs from purely manual keying in that only the IKE negotiation uses the manual key; IKE still negotiates and changes the keys used for data protection.

The srcidentity and dstidentity certificates refer to Certificate objects. Certificate objects so used can be either SINGLE IKE or groups of other IKE Certificate objects.

You cannot intermix IKE and SKIP certificate objects within a certificate group.

Certificate Options

srcidentity refers to the certificate(s) to be associated with and representing the source addresses with respect to the data protected by the policy rule in question.

dstidentity refers to the certificate(s) to be associated with and representing the destination addresses with respect to the data protected by the policy rule in question.

srcidentity and dstidentity must both be verifiable using the authmethod given.