When two IPSec peers negotiate an SA, they exchange the information necessary for each peer to successfully validate and decrypt messages that it receives and that enables a peer to encrypt and sign the messages they send in ways that will be accepted and understood by the receiver. During IKE Phase I, the peers agree on a suite of hash and encryption algorithms (cipher suite) for the IKE SA that is used to secure communications during IKE Phase II. The peers agree on a separate cipher suite for the IPSec SA and exchange keying material during IKE Phase II.
When you test in IKE With Pre-Shared Keys or IKE With RSA Signature mode, you can configure the cipher suites proposed by the local peer for both the IKE and IPSec SAs. The options that you select must be acceptable to the remote peer in order for IKE to succeed and will be the only options supported by the local peer. When you test in Pre-Provisioned mode, you provide the keys that would have been derived during IKE and select the cipher suite that will be used for all IPSec messages.
Landslide also supports configuration of multiple cryptographic suites for IPSec initiator and responder ( to support multiple proposals during the phase1 rekey).
For the IPSec IKEv2 you may configure a maximum of 5 cryptographic suites, where each suite contains the Authentication type, Encryption Key Type, Use AEAD Type, Oakley Group type, and Hash type.
NOTE: The multiple cryptographic suite configuration is not applicable for IKE Pre-Provisioned or IKE Version 1. |
This topic describes the hash and encryption algorithms that are supported for IPSec testing. The topics listed under Related Parameters describe IPSec test options, the other settings used during IKE Phase I and Phase II, and the settings that determine how traffic is routed when multiple tunnels are used.
| Authentication Type |
Use the drop-down list to select the authentication algorithm used or proposed by the local peer. When testing in Pre-Provisioned mode, enter the local peer's Authentication Key in the field provided. Options: HMAC96-MD5, HMAC96-SHA1, AES-XCBC-MAC96, HMAC-SHA2-256-128 , HMAC-SHA2-384-192, Default: HMAC96-MD5
Tcl Parameter: DataAuthKeyType_1
|
||
| Hash Type |
Use the drop-down list to select the hash algorithm negotiated in the IKE exchange as per RFC4306. Options: HMAC-MD5, HMAC-SHA1, AES128-XCBC (not available when IKE Version = V1), HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512 Default: HMAC-MD5
Tcl Parameter: DataPrfKeyType_1
|
||
| Extended Authentication (XAuth) |
Select the Extended Authentication (XAuth) checkbox to enable XAuth (for IKE version 1), and then enter the XAuth User Name and XAuth Password. Tcl Parameter: DataXauthEnabler
|
||
| Encryption Key Type |
In addition to Authentication Type, the following selections are available for IKE Phase I and IKE Phase II cipher suites. When multiple tunnels are available, you can configure a different suite for each IPSec SA. Use the drop-down list to select the encryption algorithm. Options: NULL (IKE V2 only), 3DES, AES128, AES192, or AES256 Default: 3DES (IKE V1) or NULL (IKE V2) Tcl Parameter: DataPrivateKeyType_1 |
||
| Use AEAD Type |
Available when IKE Version = V2. Select to use the drop-down list to select an AEAD Type algorithm used to generate AES-GCM and AES-GMAC Encryption keys. When selected, Authentication Type and Encryption Key Type are not available for input because the GCM/GMAC AEAD types combine Authentication and Encryption. Options: AES128-GMAC, AES192-GMAC, AES256-GMAC, AES128-GCM-ICV8, AES128-GCM-ICV12, AES128-GCM-ICV16, AES192-GCM-ICV8, AES192-GCM-ICV12, AES192-GCM-ICV16, AES256-GCM-ICV8, AES256-GCM-ICV12, or AES256-GCM-ICV16 Default: AES128-GMAC Tcl Parameter: DataAeadTypeEn_1 Tcl Parameter: DataAeadType_1 |
||
| Oakley Group Type |
Use the drop-down list to select the algorithm used to generate Diffie-Hellman keys for IKE Phase 1 and 2. Options: Group 768, Group 1024, Group 1536, Group 2048, Group 3072, Group 4096, Group 6144, or Group 8192 Default: Group 768 Tcl Parameter: DataIpSecOakleyType_1
|
||
| Disable IKE Message Encryption |
Select this check box to disable IKE messages to be encrypted using the method specified in Encryption Key Type. This is applicable for IKE V1 only. Tcl Parameter: DataIkeMsgEncrEn
|
||
| Pre-Provisioned Settings |
In addition to Authentication Type, the following selections are available in Pre-Provisioned mode, and will be used to validate, encrypt, and decrypt all IPSec messages. |
||
| Peer Authentication Type |
Use the drop-down list to select the hash algorithm used by the remote peer and enter the remote peer's key in Peer Authentication Key. Options: NULL (MIPv6 IPSec only), HMAC96-MD5, or HMAC96-SHA1 Default: HMAC96-MD5 or NULL (MIPv6 IPSec)
|
||
| Peer Public Key Type |
Use the drop-down list to select the ESP encryption algorithm used by the remote peer. Enter the public key known to both peers in Peer Public Key. Options: NULL, 3DES, AES128, AES192, or AES256 Default: NULL Tcl Parameter: DataPeerPublicKeyType |
||
| Use Peer AEAD Type |
Select to use the drop-down list to select an AEAD Type algorithm used by the remote peer to generate AES-GCM and AES-GMAC Encryption keys. When selected, either the Authentication Key or Private/Peer Public Key are not available for input depending on AEAD Type selected. AESxxx-GMAC requires an Authentication Key. AESxxx-GCM-xxxx requires Private/Peer Public Key. Options: AES128-GMAC, AES192-GMAC, AES256-GMAC, AES128-GCM-ICV8, AES128-GCM-ICV12, AES128-GCM-ICV16, AES192-GCM-ICV8, AES192-GCM-ICV12, AES192-GCM-ICV16, AES256-GCM-ICV8, AES256-GCM-ICV12, or AES256-GCM-ICV16 Default: AES128-GMAC Tcl Parameter: DataPeerAeadTypeEn_1 Tcl Parameter: DataPeerAeadType_1 |