Virtual Private Networks
Overview
Key generation. You will recall that an algorithm is simply the set method
for transforming data using a key. The key is what actually defines and secures
the tunnel and it must be unique. When you use IKE, however, you only need
to configure the algorithms IKE proposes in the first exchange. IKE generates
the actual keys for you using the Diffie-Hellman Key Agreement Protocol. The
Diffie-Hellman exchange takes place in the second set of exchanges of IKE
phase 1.
The Diffie-Hellman protocol is a secure method for generating a unique,
shared key without sending it over the connection and thus rendering it
vulnerable to interception. Each host selects a private value, which is then
modified (using prime number modulation) into a public value. Hosts
exchange the public values. Each uses the other's public value and their own
private value to compute a new value. The computation function is such that
these values will be the same.
This shared value is the authentication or encryption key used to secure data
in the final IKE phase 1 exchange and all IKE phase 2 exchanges. In this way,
IPSec provides an additional layer of security; hosts transmit their authenti-
cation information in secured packets, and secured packets negotiate the
IPSec SA itself.
10-9