Warning

If you are operating in the FIPS-140-3 mode, refer to FIPS Mode Security Restrictions to see the complete list of restrictions applicable for the upgrade from any pre-10.1.3 SBC version.

Internet Key Exchange (IKE) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE uses a Diffie–Hellman key exchange to set up a shared session secret from which the cryptographic keys are derived. Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process. 

This Key Management Protection Profile specifies the encryption algorithm, the maximum SA lifetime, and other SA conditions, for the peer. These properties are linked to each IKE peer that is provisioned with this profile.

A user can specify one or more DH groups from the SBC supported list of DH groups.

  • The SBC lists the configured DH groups in the descending order of their bit size while negotiating the protection mechanisms as initiator role as part of the SA payload.
  • As responder, the SBC selects the first DH group in the list offered by peer, which is supported and enabled on SBC side.
  • The SBC uses DH Group-2 as default if the user does not specify any group. 

 The SBC Core supports the following DH groups: 

  • DH Group 1: 768 bit
  • DH Group 2: 1024 bit (default)
  • DH Group 5: 1536 bit
  • DH Group 14: 2048 bit

The higher group numbers are more secure, but require additional time to compute the key.

See IPsec for Signaling for an in-depth feature description.

See IPsec Peer - CLI to configure IPSec peer for the IKE protocol version using CLI.

Command Syntax

% set profiles security ikeProtectionProfile <profile name> 
	algorithms 
		dhGroup <modp768 | modp1024 | modp1536 | modp2048>
		encryption <_3DesCbc | aesCbc128>
		integrity <hmacMd5 | hmacSha1 | hmacSha256>
	dpdInterval <interval #>
	pfsRequired <disabled | enabled>
	saLifetimeTime <1200-1000000 seconds>

Command Parameters

The following restrictions apply when the FIPS mode is enabled:

  • IKE Protection Profile dhGroups modp768, modp1024, and modp1536 are blocked. You must set dhGroup to modp2048.
  • IKE Protection Profile encryption 3descbc is not allowed.
  • IKE Protection Profile integrity hmacmd5 is not allowed.


The Key Management Protection Profile parameters are as shown below:

Parameter

Length/Range

Description

ikeProtectionProfile

1-23

The name of the Key Management Protection Profile. This profile specifies the encryption algorithm, the maximum SA lifetime, and the replay rules for an SPD entry. The SBC uses these properties when it forms an IPSec association with a peer.

algorithms

N/A

IKE Protection Profile ESP protocol cipher configurations.

  • dhGroup – This parameter specifies the DH group(s) supported in IKE exchange.
    • modp768
    • modp1024 (default)
    • modp1536
    • modp2048
  • encryption – IKE Protection Profile Encryption Cipher.
    • _3DesCbc
    • aesCbc128 (default)
  • integrity – The IKE Protection Profile Integrity Cipher.
    • hmacMd5
    • hmacSha1 (default)
    • hmacSha256

dpdInterval

10-3600, or "noDpd"

IKE Protection Profile Dead Peer Detection test interval period, in seconds. To disable DPD, enter noDpd. (default = 30).

pfsRequiredN/A

Enable flag to require PFS use during IPSec SA negotiation.

  • disabled (default)
  • enabled 

saLifetimeTime

1200-1000000

IKE Protection Profile SA Lifetime setting, in seconds. (default = 28,800, which equals 8 hours)

Command Example

set profiles security ikeProtectionProfile IkeProfile algorithms dhGroup modp2048 encryption aesCbc128 integrity hmacSha256
set profiles security ikeProtectionProfile IkeProfile dpdInterval 40 pfsRequired enabled saLifetimeTime 14400

show profiles security ikeProtectionProfile IkeProfile
saLifetimeTime 14400;
algorithms {
    encryption aesCbc128;
    integrity  hmacSha256;
    dhGroup    modp2048;
}
dpdInterval    40;
pfsRequired    enabled;