However, since we do not want to publish to much of the negotiation in plaintext, we first agree
upon a way of protecting the rest of the IKE negotiation. This is done, as described in the previous
section, by the initiator sending a proposal-list to the responder. When this has been done, and the
responder accepted one of the proposals, we try to authenticate the other end of the VPN to make
sure it is who we think it is, as well as proving to the remote device that we are who we claim to be.
A technique known as a Diffie Hellman Key Exchange is used to initially agree a shared secret
between the two parties in the negotiation and to derive keys for encryption.
Authentication can be accomplished through Pre-Shared Keys, certificates or public key encryption.
Pre-Shared Keys is the most common authentication method today. PSK and certificates are
supported by the NetDefendOS VPN module.
IKE Phase-2 - IPsec Security Negotiation
In phase two, another negotiation is performed, detailing the parameters for the IPsec connection.
In phase-2 we will also extract new keying material from the Diffie-Hellman key exchange in
phase-1, to provide session keys to use in protecting the VPN data flow.
If Perfect Forwarding Secrecy (PFS) is used, a new Diffie-Hellman exchange is performed for each
phase-2 negotiation. While this is slower, it makes sure that no keys are dependent on any other
previously used keys; no keys are extracted from the same initial keying material. This is to make
sure that, in the unlikely event that some key was compromised, no subsequent keys can be derived.
Once the phase-2 negotiation is finished, the VPN connection is established and ready for use.
IKE Parameters
There are a number of parameters used in the negotiation process.
Below is a summary of the configuration parameters needed to establish a VPN connection.
Understanding what these parameters do before attempting to configure the VPN endpoints is
strongly recommended, since it is of great importance that both endpoints are able to agree on all of
these parameters.
When installing two D-Link Firewalls as VPN endpoints, this process is reduced to comparing fields
in two identical dialog boxes. However, it is not quite as easy when equipment from different
vendors is involved.
Endpoint Identification
The Local ID is a piece of data representing the identity of the
VPN gateway. With Pre-Shared Keys this is a unique piece of
data uniquely identifying the tunnel endpoint.
Authentication using Pre-Shared Keys is based on the
Diffie-Hellman algorithm.
Local and Remote
Networks/Hosts
These are the subnets or hosts between which IP traffic will
be protected by the VPN. In a LAN-to-LAN connection, these
will be the network addresses of the respective LANs.
If roaming clients are used, the remote network will most
likely be set to all-nets, meaning that the roaming client may
connect from anywhere.
Tunnel / Transport Mode
IPsec can be used in two modes, tunnel or transport.
Tunnel mode indicates that the traffic will be tunneled to a
remote device, which will decrypt/authenticate the data,
extract it from its tunnel and pass it on to its final destination.
This way, an eavesdropper will only see encrypted traffic
going from one of VPN endpoint to another.
9.3.2. Internet Key Exchange (IKE)
Chapter 9. VPN
334
Summary of Contents for 800 - DFL 800 - Security Appliance
Page 24: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24 ...
Page 69: ...2 6 4 Restore to Factory Defaults Chapter 2 Management and Maintenance 69 ...
Page 121: ...3 9 DNS Chapter 3 Fundamentals 121 ...
Page 181: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 181 ...
Page 192: ...5 5 IP Pools Chapter 5 DHCP Services 192 ...
Page 282: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 282 ...
Page 300: ...mechanism 7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 300 ...
Page 301: ...7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 301 ...
Page 318: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 318 ...
Page 322: ...ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 322 ...
Page 377: ...Management Interface Failure with VPN Chapter 9 VPN 377 ...
Page 408: ...10 4 6 SLB_SAT Rules Chapter 10 Traffic Management 408 ...
Page 419: ...11 5 HA Advanced Settings Chapter 11 High Availability 419 ...
Page 426: ...12 3 5 Limitations Chapter 12 ZoneDefense 426 ...
Page 449: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 449 ...