Key Management - Planet Networking & Communication MH-5001 User Manual

MH-5001 User Manual

12.2.5 Key Management

Key Management allows you to determine whether to use IKE (ISAKMP) or manual key configuration in order to setup a VPN.
IKE Phases
There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A
phase 1 exchange established an IKE SA and the second one uses that SA to negotiate SAa for IPSec.
In phase 1 you must：
Choose a negotiation mode
Authenticate the connection by entering a pre-shared key
Choose an encryption algorithm
Choose an authentication algorithm
Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2).
Set the IKE SA lifetime. This field allows you to determine how long IKE SA negotiation should proceed before it
times out. A value of 0 means IKE SA negotiation never times out. If IKE SA negotiation times out, then both IKE SA
and IPSec SA must be renegotiated.
In phase 2 you must：
Choose which protocol to use (ESP or AH) for the IKE key exchange
Choose an encryption algorithm
Choose an authentication algorithm
Choose whether to enable Perfect Forward Security (PFS) using Diffie-Hellman public-key cryptography
Choose Tunnel mode or Transport mode
Set the IPSec SA lifetime. This field allows you to determine how long IPSec SA setup should proceed before it times
out. A value of 0 means IPSec SA never times out. If IPSec SA negotiation times out, then the IPSec SA must be
renegotiated (but not the IKE SA).
Negotiation Mode
The phase 1 Negotiation Mode you select determines how the Security Association (SA) will be established for each connection
through IKE negotiations.
Main Mode ensures the highest level of security when the communicating parties are negotiating authentication (phase
1). It uses 6 messages in three round trips (SA negotiation, Diffie-Hellman exchange and an exchange of nonces (a
nonce is a random number)). This mode features identity protection (your identity is not revealed in the negotiation).
Aggressive Mode is quicker than Main Mode because it eliminates several steps when the communicating parties are
negotiating authentication (phase 1). However the trade-off is that fast speed limits its negotiating power and it also does
not provide identity protection. It is useful in remote access situation where the address of the initiator is not known by
the responder and both parties want to use pre-shared key authentication.
Pre-Shared Key
A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to
share it with another party before you can communicate with them over a secure connection.
Diffie-Hellman (DH) Key Groups.
Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured
communications channel. Diffie-Hellman is used within IKE SA setup to establish session keys. 768-bit (Group 1 – DH1) and
1024-bit (Group 2 – DH2) Diffie-Hellman groups are supported. Upon completion of the Diffie-Hellman exchange, the two peers
have a shared secret, but the IKE SA is not authenticated. For authentication, use pre-shared keys.
96
Chapter 12
VPN Technical Introduction