D-Link DFL-860E User Manual for DFL-260E - Page 447
The Client and the Server, Step 1. Client Initiates Exchange by Sending a Supported Algorithm List
View all D-Link DFL-860E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 447 highlights
9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN The output from verbose option can be troublesome to interpret by an administrator seeing it for the first time. Presented below is some typical ikesnoop output with annotations to explain it. The tunnel negotiation considered is based on Pre-shared Keys. A negotiation based on certificates is not discussed here but the principles are similar. Complete ikesnoop command options can be found in the CLI Reference Guide. The Client and the Server The two parties involved in the tunnel negotiation are referred to in this section as the client and server. In this context, the word "client" is used to refer to the device which is the initiator of the negotiation and the server refers to the device which is the responder. Step 1. Client Initiates Exchange by Sending a Supported Algorithm List The verbose option output initially shows the proposed list of algorithms that the client first sends to the server. This list details the protocols and encryption methods it can support. The purpose of the algorithm list is that the client is trying to find a matching set of protocols/methods supported by the server. The server examines the list and attempts to find a combination of the protocols/methods sent by the client which it can support. This matching process is one of the key purposes of the IKE exchange. IkeSnoop: Received IKE packet from 192.168.0.10:500 Exchange type : Identity Protection (main mode) ISAKMP Version : 1.0 Flags : Cookies : 0x6098238b67d97ea6 -> 0x00000000 Message ID : 0x00000000 Packet length : 324 bytes # payloads :8 Payloads: SA (Security Association) Payload data length : 152 bytes DOI : 1 (IPsec DOI) Proposal 1/1 Protocol 1/1 Protocol ID : ISAKMP SPI Size :0 Transform 1/4 Transform ID : IKE Encryption algorithm : Rijndael-cbc (aes) Key length : 128 Hash algorithm : MD5 Authentication method : Pre-Shared Key Group description : MODP 1024 Life type : Seconds Life duration : 43200 Life type : Kilobytes Life duration : 50000 Transform 2/4 Transform ID : IKE Encryption algorithm : Rijndael-cbc (aes) Key length : 128 Hash algorithm : SHA Authentication method : Pre-Shared Key Group description : MODP 1024 Life type : Seconds Life duration : 43200 Life type : Kilobytes Life duration : 50000 Transform 3/4 Transform ID : IKE 447