Table of Contents
Advertisement
IP Security
The figure below shows the message flow during X.509 certificate-based peer authentication. The table that follows the
figure describes each step in the message flow.
Figure 16.
Peer Node
Preconfigured peer
node certificates and
CA-certificates.
6. Verify local node
certificate and AUTH
signature.
Table 16. X.509 Certificate-based Peer Authentication
Step
Description
1.
The peer node initiates an IKEv2 exchange with the local node, known as the IKE_SA_INIT exchange, by issuing an
IKE_SA_INIT Request to negotiate cryptographic algorithms, exchange nonces, and perform a Diffie-Hellman exchange
with the local node.
2.
The local node responds with an IKE_SA_INIT Response by choosing a cryptographic suite from the initiator's offered
choices, completing the Diffie-Hellman and nonce exchanges with the peer node. In addition, the local node includes the
list of CA certificates that it will accept in its CERTREQ payload. For successful peer authentication, the CERTREQ
payload must contain at least one CA certificate that is in the trust chain of the peer certificate. At this point in the
negotiation, the IKE_SA_INIT exchange is complete and all but the headers of all the messages that follow are encrypted
and integrity-protected.
OL-25069-03
X.509 Certificate-based Peer Authentication
1. IKE_SA_INIT Request (HDR, SAi, Kei, Ni)
3. IKE_AUTH Request (HDR, SAr, KEr, Nr, CERTREQ))
5. IKE_AUTH Response (HDR, SK (Idr, CERT, AUTH))
Local Node
Preconfigured local
node certificates and
CA-certificates.
4. Verify peer node
certificate and AUTH
signature.
Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide ▄
IPSec for LTE/SAE Networks ▀
187
Advertisement
Table of Contents
