Ike Authentication - D-Link NetDefend DFL-210 User Manual
Network security firewall ver 2.26.01
Hide thumbs
Also See for NetDefend DFL-210:
- Log reference manual (476 pages) ,
- User manual (469 pages) ,
- Cli reference manual (213 pages)
Table of Contents
Advertisement
9.3.3. IKE Authentication
by NetDefendOS are as follows:
•
DH group 1 (768-bit)
•
DH group 2 (1024-bit)
•
DH group 5 (1536-bit)
All these HA groups are available for use with IKE, IPsec and PFS.
9.3.3. IKE Authentication
Manual Keying
The "simplest" way of configuring a VPN is by using a method called manual keying. This is a
method where IKE is not used at all; the encryption and authentication keys as well as some other
parameters are directly configured on both sides of the VPN tunnel.
Manual Keying Advantages
Since it is very straightforward it will be quite interoperable. Most interoperability problems
encountered today are in IKE. Manual keying completely bypasses IKE and sets up its own set of
IPsec SAs.
Manual Keying Disadvantages
It is an old method, which was used before IKE came into use, and is thus lacking all the
functionality of IKE. This method therefore has a number of limitations, such as having to use the
same encryption/authentication key always, no anti-replay services, and it is not very flexible. There
is also no way of assuring that the remote host/firewall really is the one it says it is.
This type of connection is also vulnerable for something called "replay attacks", meaning a
malicious entity which has access to the encrypted traffic can record some packets, store them, and
send them to its destination at a later time. The destination VPN endpoint will have no way of
telling if this packet is a "replayed" packet or not. Using IKE eliminates this vulnerability.
PSK
Using a Pre-shared Key (PSK) is a method where the endpoints of the VPN "share" a secret key.
This is a service provided by IKE, and thus has all the advantages that come with it, making it far
more flexible than manual keying.
PSK Advantages
Pre-Shared Keying has a lot of advantages over manual keying. These include endpoint
authentication, which is what the PSKs are really for. It also includes all the benefits of using IKE.
Instead of using a fixed set of encryption keys, session keys will be used for a limited period of
time, where after a new set of session keys are used.
PSK Disadvantages
Note
NetDefendOS does not support manual keying.
357
Chapter 9. VPN
Advertisement
Table of Contents
Troubleshooting
