Equinux VPN Tracker 5.4.4 Uživatelský manuál stáhnout pdf (Strana 43)

Phase 1 and Phase 2

Generating SAs according to IKE requires two phases. Phase 1

is defined according to the ISAKMP standard, and generates an

ISAKMP-SA (or IKE-SA). Two modes are defined: The faster

Aggressive Mode uses three messages, while the more secure

Main Mode uses six (three two-way exchanges). Because the

participants’ identities are not exchanged securely in

Aggressive Mode, it does not provide identity protection.

The tunnel established in Phase 1 is used in Phase 2 (Quick

Mode) to generate an IPSec-SA. Simply put: Phase 1

authenticates the peers, while Phase 2 configures the actual

VPN tunnel.

It may seem odd to use an SA (a Phase 1 tunnel) to create

another SA (a Phase 2 tunnel), but there are a number of good

reasons for this:

‣

A single ISAKMP-SA can be used to create multiple IPSec-SAs

‣

All authentication takes place in Phase 1, so the conversation

in Phase 2 can be restricted to the actual IPSec parameters

‣

The separation of phases maintains the independence of IKE

and IPSec – IKE is not restricted to creating IPSec-SAs in

Phase 2, and IPSec-SAs can be created according to other

standards

Proposals

In both phases, the participants need to agree upon at least

one proposal, i.e. a combination of

‣

An encryption algorithm

‣

A hash algorithm (which is used for authentication in Phase

‣

A Diffie-Hellman group (which is optional in Phase 2).

These parameters are used to generate SAs based on a pre-

shared key or on certficates.

Authentication

To authenticate the peers in Phase 1, IKE uses either a Pre-

shared Key (PSK), or Certificates. A PSK is nothing but a

password known to both peers. Digital certificates are

generally regarded as the best solution for determining user

identity with absolute confidentiality. A digital certificate is an

electronic document used to identify a single user, a server or a

company. Each certificate is signed by a trusted Certificate

Authority (CA).

The two standard authentication methods can be

complemented by Extended Authentication (XAUTH), an

extension to IKE. XAUTH defines an additional user

authentication in a separate phase right after Phase 1 (but

before the beginning of Phase 2).

The user authentication can be checked against an internal

database in the VPN device or external databases, e.g. against a

1 2 ... 38 39 40 41 42 43 44 45 46 47

Komentáře k této Příručce

Žádné komentáře

Equinux VPN Tracker 5.4.4 Uživatelský manuál Strana 43

Komentáře k této Příručce

Související produkty a manuály pro Software Equinux VPN Tracker 5.4.4