HP 7102dl - ProCurve Secure Router Configuration Manual page 506

Virtual Private Networks
Overview
10-12
Table 10-1. IKE Phase 1 Exchanges
IKE Phase 1 Exchange
security proposal
Diffie-Hellman key
exchange
authentication
IKE Phase 2. The goal of IKE phase 2 is to negotiate the IPSec SA. (For this
reason, even though IKE carries out both phases, phase 1 is associated with
IKE policies and phase 2 with IPSec policies.) Like an IKE SA, an IPSec SA
defines unique authentication and encryption keys, as well as other security
parameters for the VPN connection. Keys generated during IKE phase 2 will
secure all data exchanged over the lifetime of the VPN tunnel.
When negotiating the IPSec SA, IKE follows much the same process it did in
IKE phase 1. The initiating host sends IP packets (now secured by the IKE
SA), proposing one or more security policies. Each policy includes a hash
algorithm and (if using ESP) an encryption algorithm.
The responding host searches its IPSec policies (referred to as crypto map
entries when configuring the ProCurve Secure Router) for a match. When it
finds a match, it returns the policy to the initiating host.
IKE then manages the generation and exchange of any hash and encryption
keys. It also associates an SPI with the IPSec SA.
Peers can now transmit data securely over the VPN tunnel.
In the Secure Router OS, you will configure proposals for IKE phase 2 in a
transform set and crypto map entry. Table 10-2 summarizes configurations you
must make for IKE phase 2.
Message Includes
• hash algorithm
• encryption algorithm
• authentication method
• Diffie-Hellman group
• IKE SA lifetime
public value
preshared key or digital
certificate
You Must Configure Reference
IKE attribute policy page 10-28
— —
preshared key or page 10-32
certificate or page
10-54