D-Link DFL-2500 User Guide - Page 235
IKE Phase-2
![]() |
View all D-Link DFL-2500 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 235 highlights
216 Chapter 22. VPN Protocols & Tunnels • Authenticate the communication parties, either with pre-shared key (PSK) or certificate. • Exchange keying materials with Diffie-Hellman method. • IKE SAs are created. IKE Phase-2 - Negotiate how IPsec should be protected. • Create a pair of IPsec SAs using the IKE SAs from phase-1, detailing the parameters for the IPsec connection. • Extract new keying material from the Diffie-Hellman key exchange in phase-1, to provide session keys to use in protecting the VPN data flow. Both the IKE SAs and the IPsec SAs have limited lifetimes, described as time (seconds), and data (kilobytes). These lifetimes prevent a connection from being used too long, which is desirable from a cryptanalysis perspective. The IKE phase-1 involves very heavy computation, thus its lifetime is generally longer than the phase-2 IPsec lifetime. This allows for the IPsec connection to be re-keyed simply by performing another phase-2 negotiation. There is no need to do another phase-1 negotiation until the IKE SAs lifetime has expired. Negotiation Modes The IKE negotiation has two modes of operation, main mode and aggressive mode. The difference between these two is that aggressive mode will pass more information in fewer packets, with the benefit of slightly faster connection establishment, at the cost of transmitting the identities of the security gateways in the clear. When using aggressive mode, some configuration parameters, such as Diffie-Hellman groups, can not be negotiated, resulting in a greater importance of having "compatible" configurations on both communication ends. D-Link Firewalls User's Guide
![](/manual_guide/products/dlink-dfl2500-user-guide-83bdca9/235.png)