Table of Contents
Advertisement
What is SA?
A Security Association (SA) is a contract between two parties indicating what security parameters, such
as keys and algorithms they will use.
What is IKE?
IKE is short for Internet Key Exchange. Key Management allows you to determine whether to use IKE
(ISAKMP) or manual key configuration to set up a VPN.
There are two phases in every IKE negotiation- phase 1 (Authentication) and phase 2 (Key Exchange).
Phase 1 establishes an IKE SA and phase 2 uses that SA to negotiate SAs for IPSec.
What is Pre-Shared Key?
A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called
'Pre-shared' because you have to share it with another party before you can communicate with them over
a secure connection.
What are the differences between IKE and manual key VPN?
The only difference between IKE and manual key is how the encryption keys and SPIs are determined.
•
For IKE VPN, the key and SPIs are negotiated from one VPN gateway to the other. Afterward,
two VPN gateways use this negotiated keys and SPIs to send packets between two networks.
•
For manual key VPN, the encryption key, authentication key (if needed), and SPIs are
predetermined by the administrator when configuring the security association.
IKE is more secure than manual key, because IKE negotiation can generate new keys and SPIs randomly
for the VPN connection.
What is Phase 1 ID for?
In IKE phase 1 negotiation, IP address of remote peer is treated as an indicator to decide which VPN rule
must be used to serve the incoming request. However, in some application, remote VPN box or client
software is using an IP address dynamically assigned from ISP, so Prestige needs additional information
to make the decision. Such additional information is what we call phase 1 ID. In the IKE payload, there
are local and peer ID field to achieve this.
All contents copyright (c) 2005 ZyXEL Communications Corporation.
Prestige 2602H-6xC Support Notes
125
Advertisement
Table of Contents
