ZyXEL UAG715 User Guide - Page 274
Authentication
View all ZyXEL UAG715 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 274 highlights
Chapter 22 IPSec VPN Figure 182 IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange Diffie-Hellman key exchange 3 X 4 Y DH public-key cryptography is based on DH key groups. Each key group is a fixed number of bits long. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. For example, DH2 keys (1024 bits) are more secure than DH1 keys (768 bits), but DH2 keys take longer to encrypt and decrypt. Authentication Before the UAG and remote IPSec router establish an IKE SA, they have to verify each other's identity. This process is based on pre-shared keys and router identities. In main mode, the UAG and remote IPSec router authenticate each other in steps 5 and 6, as illustrated below. The identities are also encrypted using the encryption algorithm and encryption key the UAG and remote IPSec router selected in previous steps. Figure 183 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication (continued) Step 5: pre-shared key UAG identity, consisting of - ID type - content Step 6: pre-shared key Remote IPSec router identity, consisting of - ID type - content 5 X 6 Y You have to create (and distribute) a pre-shared key. The UAG and remote IPSec router use it in the authentication process, though it is not actually transmitted or exchanged. Note: The UAG and the remote IPSec router must use the same pre-shared key. Router identity consists of ID type and content. The ID type can be domain name, IP address, or email address, and the content is a (properly-formatted) domain name, IP address, or e-mail address. The content is only used for identification. Any domain name or e-mail address that you 274 UAG715 User's Guide