D-Link DFL-260-IPS-12 Product Manual - Page 397
IKE Authentication, IPsec SAs.
View all D-Link DFL-260-IPS-12 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 397 highlights
9.3.3. IKE Authentication Chapter 9. VPN through a series of plain text exchanges. Even though the exchanges between the parties might be monitored by a third party, Diffie-Hellman makes it extremely difficult for the third party to determine what the agreed shared secret key is and to decrypt data that is encrypted using the key. Diffie-Hellman is used to establish the shared secret keys for IKE, IPsec and PFS. The Diffie-Hellman group indicates the degree of security used for DH exchanges. The higher the group number, the greater the security but also the processing overhead. The DH groups supported by NetDefendOS are as follows: • DH group 1 (768-bit) • DH group 2 (1024-bit) • DH group 5 (1536-bit) All these HA groups are available for use with IKE, IPsec and PFS. 9.3.3. IKE Authentication Manual Keying The "simplest" way of configuring a VPN is by using a method called manual keying. This is a method where IKE is not used at all; the encryption and authentication keys as well as some other parameters are directly configured on both sides of the VPN tunnel. Note NetDefendOS does not support manual keying. Manual Keying Advantages Since it is very straightforward it will be quite interoperable. Most interoperability problems encountered today are in IKE. Manual keying completely bypasses IKE and sets up its own set of IPsec SAs. Manual Keying Disadvantages It is an old method, which was used before IKE came into use, and is thus lacking all the functionality of IKE. This method therefore has a number of limitations, such as having to use the same encryption/authentication key always, no anti-replay services, and it is not very flexible. There is also no way of assuring that the remote host/firewall really is the one it says it is. This type of connection is also vulnerable for something called "replay attacks", meaning a malicious entity which has access to the encrypted traffic can record some packets, store them, and send them to its destination at a later time. The destination VPN endpoint will have no way of telling if this packet is a "replayed" packet or not. Using IKE eliminates this vulnerability. PSK Using a Pre-shared Key (PSK) is a method where the endpoints of the VPN "share" a secret key. This is a service provided by IKE, and thus has all the advantages that come with it, making it far more flexible than manual keying. PSK Advantages 397