Figure 5: IPSec VPN Working

17 
across the clients, the VPN gateways initiate the next step of negotiating the IKE phase 
one exchange. 
Step 2:
IKE Phase One - To create IKE Security Association, SA. 
Phase 1:
The main purpose of IKE phase one is to authenticate IPSec peers and set up 
secure tunnel across the network to enable IKE exchanges. This phase enables 
communication across the two VPN gateways, negotiating of new keys and checking on 
non-responsive devices along with the management variables being transmitted across 
the IKE SA. 
The goals of IKE phase one are as follows: 
•
To protect and authenticate the identities of IPSec peers 
•
Negotiating an IKE SA security policy between the VPN peers to protect the 
IKE exchange. 
•
Performs an authenticated Diffie-Hellman exchange with the end result of 
having to match shared secret keys. 
•
Set up a secure channel to negotiate IPSec phase two parameters. 
Working:
IKE phase one creates and authenticates the IPSec peers with the help of 
policy sets. A policy set defines the policies to secure the channel session, router 
authentication policies, encryption algorithm used, hashing algorithm used and the key 
lifetime. It also performs an authenticated Diffie-Hellman exchange resulting in the 
sharing of secret keys. These policies are agreed upon across the two ends and a 
successful tunnel is establishes if there exist matching parameters. IKE SA is established 
by negotiation of parameters and thus a bi-directional security association with a secure 
channel is set-up. 

Download 2,76 Mb.

Do'stlaringiz bilan baham: