180
Fortinet Inc.
Key management
IPSec VPN
Key management
There are three basic elements in any encryption system:
• an algorithm which changes information into code,
• a cryptographic key which serves as a secret starting point for the algorithm,
• a management system to control the key.
IPSec provides two ways to handle key exchange and management: manual keying
and IKE for automated key management.
•
Manual Keys
•
Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates
Manual Keys
When manual keys are employed, matching security parameters must be entered at
both ends of the tunnel. These settings, which include both the encryption and
authentication keys, must be kept secret so that unauthorized parties cannot decrypt
the data, even if they know which encryption algorithm is being used.
Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates
To facilitate deployment of multiple tunnels, an automated system of key management
is required. IPSec supports the automated generation and negotiation of keys using
the Internet Key Exchange protocol. This method of key management is typically
referred to as AutoIKE. Fortinet supports AutoIKE with pre-shared keys and AutoIKE
with certificates.
AutoIKE with pre-shared keys
When both peers in a session have been configured with the same pre-shared key,
they can use it to authenticate themselves to each other. The peers do not actually
send the key to each other. Instead, as part of the security negotiation process, they
use it in combination with a Diffie-Hellman group to create a session key. The session
key is used for encryption and authentication purposes, and is automatically
regenerated during the communication session by IKE.
Pre-shared keys are similar to the manual keys in that they require the network
administrator to distribute and manage matching information at the VPN peer sites.
Whenever a pre-shared key changes, the administrator must update both sites.
AutoIKE with certificates
This method of key management involves the participation of a trusted third party, the
certificate authority (CA). Each peer in a VPN is first required to generate a set of
keys, known as a public/private key pair. The CA signs the public key for each peer,
creating a signed digital certificate. The peer then contacts the CA to retrieve their own
certificates, plus that of the CA itself. Once the certificates have been uploaded to the
FortiGate units and appropriate IPSec tunnels and policies have been configured, the
peers are ready to start communicating. As they do, IKE manages the exchange of
certificates, transmitting signed digital certificates from one peer to another. The
signed digital certificates are validated by the presence of the CA certificate at each
end. With authentication complete, the IPSec tunnel is then established.
In some respects, certificates are simpler to manage than manual keys or pre-shared
keys. For this reason, certificates are best suited to large network deployments.
Summary of Contents for FortiGate 60R
Page 12: ...Contents 12 Fortinet Inc...
Page 26: ...26 Fortinet Inc Customer service and technical support Introduction...
Page 42: ...42 Fortinet Inc Next steps Getting started...
Page 138: ...138 Fortinet Inc Customizing replacement messages System configuration...
Page 228: ...228 Fortinet Inc Logging attacks Network Intrusion Detection System NIDS...
Page 242: ...242 Fortinet Inc Exempt URL list Web filtering...
Page 256: ...256 Fortinet Inc Configuring alert email Logging and reporting...
Page 260: ...260 Fortinet Inc Glossary...
Page 270: ...270 Fortinet Inc Index...