D-Link DFL-2500 User Guide - Page 237
Key Exchange, NAT Traversal
View all D-Link DFL-2500 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 237 highlights
218 Chapter 22. VPN Protocols & Tunnels PFS is very resource and time consuming and is generally disabled, since it is very unlikely that any encryption or authentication keys will be compromised. Key Exchange IKE exchanges the symmetric encryption key using Diffie-Hellman key exchange protocol. The level of security it offers is configurable by specifying the Diffie-Hellman(DH) group. The Diffie-Hellman groups supported by D-Link VPN are: • DH group 1 (768-bit) • DH group 2 (1024-bit) • DH group 5 (1536-bit) The security of the key exchanges increases as the DH groups grow larger, as does the time of the exchanges. NAT Traversal One big problem encountered by the IKE and IPsec protocols is the use of NAT, since the IKE and IPsec protocols were not designed to work through NATed network. Because of this, something called "NAT traversal " has evolved. NAT traversal is an add-on to the IKE and IPsec protocols that makes them work when being NATed. In short, NAT traversal is divided into two parts: • Additions to IKE that lets IPsec peers tell each other that they support NAT traversal, and the specific versions of the draft they support. • Changes to the ESP encapsulation. If NAT traversal is used, ESP is encapsulated in UDP, which allows for more flexible NATing. NAT traversal is only used if both ends has support for it. For this purpose, NAT traversal aware VPNs send out a special "vendor ID", telling the other end that it understand NAT traversal, and which specific versions of the draft it supports. To detect the necessity of using NAT traversal, both IPsec peers send hashes of their own IP addresses along with the source UDP port used in the IKE negotiations. This information is used to see whether the IP D-Link Firewalls User's Guide