IPsec VPN Overview
Except on the first page, right running head:
Heading1 or Heading1NewPage text (automatic)
747
Alcatel-Lucent
Beta
Beta
CLI Configuration Guide
The above figure shows the basic Main mode message exchanges. In the main
mode, the negotiating parties use six messages. The first two messages to
negotiate the security policy that will be used to protect the phase II messages.
The next two messages perform a Diffie-Hellman key exchange and pass nonces
(random numbers sent for signing) to each other. The last two messages are used
to authenticate the peers. To authenticate peers, the following can be used:
•
Preshared keys
(
PSK
) - A shared secret is distributed out-of-band to the peers.
The peers use this information and nonce parameters to create a hash that is
used to authenticate messages. PSK is a secret alpha-numeric key that is created
by the person configuring the IPsec configuration. This "secret password" is
exactly the same on all the computers authenticating the connection and is case-
sensitive.
•
Digital Signatures
(
RSA or DSS
)
-
Certificates of the peers are exchanged in the
last two messages and hashes are calculated over these certificates to
authenticate each other. A "
RSA Key
" is an authentication method that uses a
program to generate a set of authentication keys. This program is built into IPsec.
P
HASE
II
This phase is also called "
Quick Mode
". It is used to establish the IPsec SA and
generate the new keying material. The figure below shows the Quick mode
message exchanges:
Figure 29: Phase 2 Negotiation - Quick Mode
A full Diffie-Hellman key exchange may be done to provide Perfect Forward
Secrecy (PFS).
MESSAGE 1
MESSAGE 2
ISAKMP HEADER
Proposal Payload (s)
Identity Payload (s)
ENCRYPTED
MESSAGE 3
ISAKMP HEADER
Identity Payload
Authentication Data
Payload
ENCRYPTED
ICV
ISAKMP HEADER
Accepted Proposal Payload
Identity Payload (s)
ENCRYPTED
ICV
I
N
I
T
I
A
T
O
R
R
E
S
P
O
N
D
E
R
Summary of Contents for OmniAccess 700
Page 38: ...Left running head Chapter name automatic 12 Beta Beta CLI Configuration Guide Alcatel Lucent ...
Page 176: ...Left running head Chapter name automatic 150 Beta Beta CLI Configuration Guide Alcatel Lucent ...
Page 260: ...Left running head Chapter name automatic 234 Beta Beta CLI Configuration Guide Alcatel Lucent ...
Page 434: ...Left running head Chapter name automatic 408 Beta Beta CLI Configuration Guide Alcatel Lucent ...
Page 464: ...Left running head Chapter name automatic 438 Beta Beta CLI Configuration Guide Alcatel Lucent ...
Page 638: ...Left running head Chapter name automatic 612 Beta Beta CLI Configuration Guide Alcatel Lucent ...
Page 940: ...Left running head Chapter name automatic 914 Beta Beta CLI Configuration Guide Alcatel Lucent ...
Page 1002: ...Left running head Chapter name automatic 976 Beta Beta CLI Configuration Guide Alcatel Lucent ...
Page 1120: ...Left running head Chapter name automatic 2 Beta Beta CLI Configuration Guide Alcatel Lucent ...