Third exchange: Verifies the other side's identity. The identity value is the IPSec peer's IP
address in encrypted form. The main outcome of main mode is matching IKE SAs between
peers to provide a protected pipe for subsequent protected ISAKMP exchanges between the
IKE peers. The IKE SA specifies values for the IKE exchange: the authentication method
used, the encryption and hash algorithms, the Diffie-Hellman group used, the lifetime of the
IKE SA in seconds or kilobytes, and the shared secret key values for the encryption
algorithms. The IKE SA in each peer is bi-directional.
Aggressive Mode
In aggressive mode, fewer exchanges are made, and with fewer packets. On the first
exchange, almost everything is squeezed into the proposed IKE SA values: the Diffie-
Hellman public key; a nonce that the other party signs; and an identity packet, which can be
used to verify identity via a third party. The receiver sends everything back that is needed to
complete the exchange. The only thing left is for the initiator to confirm the exchange. The
weakness of using the aggressive mode is that both sides have exchanged information before
there's a secure channel.
ENCRYPTION ALGORITHM
The Case Communications 6401 has the ability to select the encryption algorithm used within
IP Sec. The options are;
DES 3 DES
AES128 AES 192 AES 256
INTEGRITY ALGORITHM (SHA1 (default) or MD5)
The Authentication Header (AH) protocol provides a means to verify the authenticity
/integrity of the content and origin of a packet. You can authenticate the packet by the
checksum calculated through a Hash Message Authentication Code (HMAC) using a secret
key and either MD5 or SHA-1 hash functions.
Message Digest 5 (MD5)—An algorithm that produces a 128-bit hash (also called a digital
signature or message digest) from a message of arbitrary length and a 16-byte key. The resulting
hash is used, like a fingerprint of the input, to verify content and source authenticity and
integrity.
Secure Hash Algorithm-1 (SHA-1)—An algorithm that produces a 160-bit hash from a
message of arbitrary length and a 20-byte key. It is generally regarded as more secure than MD5
because of the larger hashes it produces. Because the computational processing is done in the
ASIC, the performance cost is negligible.
SELECT DIFFE_HELLMAN GROUP (RANGE 768 – 8192 DEFAULT 1024)
The Diffie–Hellman key exchange method allows two parties that have no prior knowledge of each
other to jointly establish a shared secret key over an insecure communications channel. This key can
then be used to encrypt subsequent communications using a symmetric key cipher.
A Diffie-Hellman (DH) exchange allows the participants to produce a shared secret value. The
strength of the technique is that it allows the participants to create the secret value over an unsecured
medium without passing the secret value through the wire.
KEY LIFE TIME
Define the length of time before an IKE SA automatically renegotiates in this field. It may range from
60 to 3,000,000 seconds (almost 35 days).
A short SA Life Time increases security by forcing the two VPN gateways to update the encryption
and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote
resources are temporarily disconnected
To Next Page
Loading...
