D-Link DFL-800-AV-12 User Manual - Page 242
IKE Phase-2 - IPsec Security Negotiation, IKE Parameters, Endpoint Identification, Local and Remote
View all D-Link DFL-800-AV-12 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 242 highlights
9.3.2. Internet Key Exchange (IKE) Chapter 9. VPN Authentication can be accomplished through Pre-Shared Keys, certificates or public key encryption. Pre-Shared Keys is the most common authentication method today. PSK and certificates are supported by the NetDefendOS VPN module. IKE Phase-2 - IPsec Security Negotiation In phase two, another negotiation is performed, detailing the parameters for the IPsec connection. In phase-2 we will also extract new keying material from the Diffie-Hellman key exchange in phase-1, to provide session keys to use in protecting the VPN data flow. If PFS, Perfect Forwarding Secrecy, is used, a new Diffie-Hellman exchange is performed for each phase-2 negotiation. While this is slower, it makes sure that no keys are dependent on any other previously used keys; no keys are extracted from the same initial keying material. This is to make sure that, in the unlikely event that some key was compromised, no subsequent keys can be derived. Once the phase-2 negotiation is finished, the VPN connection is established and ready for use. IKE Parameters There are a number of parameters used in the negotiation process. Below is a summary of the configuration parameters needed to establish a VPN connection. Understanding what these parameters do before attempting to configure the VPN endpoints is highly recommended, since it is of great importance that both endpoints are able to agree on all of these parameters. When installing two D-Link Firewalls as VPN endpoints, this process is reduced to comparing fields in two identical dialog boxes. However, it is not quite as easy when equipment from different vendors is involved. Endpoint Identification Local and Remote Networks/Hosts Tunnel / Transport Mode The Local ID is a piece of data representing the identity of the VPN gateway. With Pre-Shared Keys this is a unique piece of data uniquely identifying the tunnel endpoint. Authentication using Pre-Shared Keys is based on the Diffie-Hellman algorithm. These are the subnets or hosts between which IP traffic will be protected by the VPN. In a LAN-to-LAN connection, these will be the network addresses of the respective LANs. If roaming clients are used, the remote network will most likely be set to all-nets, meaning that the roaming client may connect from anywhere. IPsec can be used in two modes, tunnel or transport. Tunnel mode indicates that the traffic will be tunneled to a remote device, which will decrypt/authenticate the data, extract it from its tunnel and pass it on to its final destination. This way, an eavesdropper will only see encrypted traffic going from one of VPN endpoint to another. In transport mode, the traffic will not be tunneled, and is hence not applicable to VPN tunnels. It can be used to secure a connection from a VPN client directly to the D-Link Firewall, for example for IPsec protected remote configuration. This setting will typically be set to "tunnel" in most 242