IPsec VPN Overview
Except on the first page, right running head:
Heading1 or Heading1NewPage text (automatic)
813
Alcatel-Lucent
Beta Beta
OmniAccess 5740 Unified Services Gateway CLI Configuration Guide
The above figure shows the basic Main mode message exchanges. In the main
mode, the negotiating parties use six messages. The first two messages to
negotiate the security policy that will be used to protect the phase II messages.
The next two messages perform a Diffie-Hellman key exchange and pass nonces
(random numbers sent for signing) to each other. The last two messages are used
to authenticate the peers. To authenticate peers, the following can be used:
• Preshared keys (PSK) - A shared secret is distributed out-of-band to the peers.
The peers use this information and nonce parameters to create a hash that is
used to authenticate messages. PSK is a secret alpha-numeric key that is created
by the person configuring the IPsec configuration. This "secret password" is
exactly the same on all the computers authenticating the connection and is case-
sensitive.
• Digital Signatures (RSA or DSS)- Certificates of the peers are exchanged in the
last two messages and hashes are calculated over these certificates to
authenticate each other. A "RSA Key" is an authentication method that uses a
program to generate a set of authentication keys. This program is built into IPsec.
P
HASE II
This phase is also called "Quick Mode". It is used to establish the IPsec SA and
generate the new keying material. The figure below shows the Quick mode
message exchanges:
Figure 30: Phase 2 Negotiation - Quick Mode
A full Diffie-Hellman key exchange may be done to provide Perfect Forward
Secrecy (PFS).
MESS AGE 1
MESS AGE 2
ISAKMP HEADER
Proposal Payload (s)
Identity Payload (s)
ENCRY PTE D
MESS AGE 3
ISAKMP HEADER
Identity Payload
Authentication Dat a
Payl oad
ENCRY PTE D
ICV
ISAKMP HEADER
Accept ed Pr oposal Payl oad
Identity Payload (s)
ENCRY PTE D
ICV
I
N
I
T
I
A
T
O
R
R
E
S
P
O
N
D
E
R
To Next Page
Loading...
Need help?
General
