Table of Contents
Advertisement
DFL-900/1500 User Manual
12.2.5 Key Management
Key Management allows you to determine whether to use IKE (ISAKMP) or manual key configuration in order to setup a VPN.
Ø
IKE Phases
There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A
phase 1 exchange established an IKE SA and the second one uses that SA to negotiate SAa for IPSec.
In phase 1 you must:
n
Choose a negotiation mode
n
Authenticate the connection by entering a pre-shared key
n
Choose an encryption algorithm
n
Choose an authentication algorithm
n
Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2).
n
Set the IKE SA lifetime. This field allows you to determine how long IKE SA negotiation should proceed before it
times out. A value of 0 means IKE SA negotiation never times out. If IKE SA negotiation times out, then both IKE SA
and IPSec SA must be renegotiated.
In phase 2 you must:
n
Choose which protocol to use (ESP or AH) for the IKE key exchange
n
Choose an encryption algorithm
n
Choose an authentication algorithm
n
Choose whether to enable Perfect Forward Security (PFS) using Diffie-Hellman public-key cryptography
n
Choose Tunnel mode or Transport mode
n
Set the IPSec SA lifetime. This field allows you to determine how long IPSec SA setup should proceed before it times
out. A value of 0 means IPSec SA never times out. If IPSec SA negotiation times out, then the IPSec SA must be
renegotiated (but not the IKE SA).
Ø
Negotiation Mode
The phase 1 Negotiation Mode you select determines how the Security Association (SA) will be established for each connection
through IKE negotiations.
n
Main Mode ensures the highest level of security when the communicating parties are negotiating authentication (phase
1). It uses 6 messages in three round trips (SA negotiation, Diffie-Hellman exchange and an exchange of nonces (a
nonce is a random number)). This mode features identity protection (your identity is not revealed in the negotiation).
n
Aggressive Mode is quicker than Main Mode because it eliminates several steps when the communicating parties are
negotiating authentication (phase 1). However the trade-off is that fast speed limits its negotiating power and it also does
not provide identity protection. It is useful in remote access situation where the address of the initiator is not known by
the responder and both parties want to use pre-shared key authentication.
Ø
Pre-Shared Key
A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to
share it with another party before you can communicate with them over a secure connection.
Ø
Diffie-Hellman (DH) Key Groups
Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured
communications channel. Diffie-Hellman is used within IKE SA setup to establish session keys. 768-bit (Group 1 – DH1) and
103
Chapter 12
VPN Technical Introduction
Advertisement
Table of Contents
Troubleshooting
