3Com V7122 User Manual page 334
Hide thumbs
Also See for V7122:
- User manual (266 pages) ,
- Installation manual (58 pages) ,
- User manual manual (496 pages)
Table of Contents
Advertisement
IPSec doesn't function properly if the gateway's IP address is changed on-the-fly
due to the fact that the crypto hardware can only be configured on reset. Therefore,
reset the gateway after you change its IP address.
IKE
IKE is used to obtain the Security Associations (SA) between peers (the gateway and the
application it's trying to contact). The SA contains the encryption keys and profile used by the
IPSec to encrypt the IP stream. The IKE table lists the IKE peers with which the gateway
performs the IKE negotiation (up to 20 peers are available).
The IKE negotiation is separated into two phases: main mode and quick mode. The main
mode employs the Diffie-Hellman (DH) protocol to obtain an encryption key (without any prior
keys), and uses a pre-shared key to authenticate the peers. The created channel secures
the messages of the following phase (quick mode) in which the IPSec SA properties are
negotiated.
The IKE negotiation is as follows:
Main mode (the main mode creates a secured channel for the quick mode)
SA negotiation – The peers negotiate their capabilities using four proposals. Each
proposal includes three parameters: Encryption method, Authentication protocol and
the length of the key created by the DH protocol. The key's lifetime is also negotiated
in this stage. For detailed information on configuring the main mode proposals, see
IKE
Configuration.
Key exchange (DH) – The DH protocol is used to create a phase-1 key.
Authentication – The two peers authenticate one another using the pre-shared key
(configured by the parameter 'IKEPolicySharedKey').
Quick mode (quick mode negotiation is secured by the phase-1 SA)
SA negotiation – The peers negotiate their capabilities using four proposals. Each
proposal includes two parameters: Encryption method and Authentication protocol.
The lifetime is also negotiated in this stage. For detailed information on configuring
the quick mode proposals, see the SPD table under
Key exchange – a symmetrical key is created using the negotiated SA.
IKE Specifications:
Authentication mode - pre-shared key only
Main mode is supported for IKE Phase 1
Supported IKE SA encryption algorithms - Data Encryption Standard (DES), 3DES, and
Advanced Encryption Standard (AES)
Hash types for IKE SA - SHA1 and MD5
334
IPSec
Configuration.
V7122 GatewayUser Guide
Advertisement
Table of Contents
Need help?
Do you have a question about the V7122 and is the answer not in the manual?
Questions and answers