Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual page 607

Copyright © 2010, Juniper Networks, Inc.
Authentication only authenticates the data; it does not encrypt the data in the VPN. To
ensure privacy, you must encrypt the data using ESP.
Using Encapsulating Security Payload (ESP)
ESP encrypts the data in the VPN with DES, Triple DES, or AES symmetric encryption.
When the encrypted data arrives at the destination, the receiving device uses a key to
decrypt the data. For additional security, you can encrypt the keys that decrypt the data
using Diffie-Hellman asymmetric encryption. ESP can also authenticate data in the VPN
using MD5 and SHA-1 algorithms. You can use ESP to encrypt, authenticate, or encrypt
and authenticate data depending on your security requirements.
NOTE: We strongly recommend that you do not use null AH with ESP.
Because ESP uses keys to encrypt and decrypt data, each VPN node must have the
correct key to send and receive VPN data through the VPN tunnel.
You can manually configure a key for each VPN node, or use a key exchange protocol to
automate key generation and distribution:
Manual Key IKE—In a manual key VPN, you specify the encryption algorithm,
authentication algorithm, and the Security Parameter Index (SPI) for each VPN node.
Because all security parameters are static and consistent, VPN nodes can send and
receive data automatically, without negotiation.
Autokey IKE—In an AutoKey IKE VPN, you can use the Internet Key Exchange (IKE)
protocol to generate and distribute encryption keys and authentication algorithms to
all VPN nodes. IKE automatically generates new encryption keys for the traffic on the
network, and automatically replaces those keys when they expire. Because IKE
generates keys automatically, you can give each key a short life span, making it expire
before it can be broken. By also exchanging authentication algorithms, IKE can confirm
that the communication in the VPN tunnel is secure.
Because all security parameters are dynamically assigned, VPN nodes must negotiate
the exact set of security parameters that will be used to send and receive data to other
VPN nodes. To enable negotiations, each VPN node contains a list of proposals; each
proposal is a set of encryption keys and authentication algorithms. When a VPN node
attempts to send data through the VPN tunnel, IKE compares the proposals from each
VPN node and selects a proposal that is common to both nodes. If IKE cannot find a
proposal that exists on both nodes, the connection is not established.
IKE negotiations include two phases:
In Phase 1, two members establish a secure and authenticated communication
channel.
In Phase 2, two members negotiate Security Associations for services (such as IPSec)
that require key material and/or parameters.
VPN nodes must use the same authentication and encryption algorithms to establish
communication.
Chapter 12: Configuring VPNs
557