3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

171

172

173

174

175

176

177

178

179

180

172 CHAPTER 11: IKE CONFIGURATION

between the two parties. Authentication key is the key in identity authentication

for both parties.

■ Identity protection

After shared secret is generated, identity data will be encrypted and transmitted,

thus implementing identity data protection.

IKE using 2 stages to implement shared secret negotiation for IPsec and creating

Security Association. In the first stage, parties involved in the communication will

establish a channel for identity authentication and security protection. An ISAKMP

Security Association (ISAKMP SA) is established by the exchange in this stage. In

the second stage, security channel established in phase 1 will be used to negotiate

specific Security Association for IPsec and establish IPsec SA. IPsec SA will be used

for final IP data security transmission.

The relation between IKE and IPsec is shown in the following figure.

Figure 39 Relation between IKE and IPsec

IKE aggressive mode

ADSL and dial-up mode are two solutions widely adopted at present in VPN

construction. In these two solutions, there is an exceptional case where IP

addresses of the devices at central office end are static and the IP addresses of the

devices at subscriber end are dynamic. In order to support the application in this

special case, aggressive mode is introduced in IKE negotiation. This mode allows

IKE to search for the pre-shared key of the negotiation initiator by the IP address or

ID of the negotiation initiator to accomplish the negotiation. Compared to the

main mode, IKE aggressive mode allows of more flexibility and supports IKE

negotiation even when the IP address of the initiator is dynamic.

NAT traversal

If there is a NAT GW on the VPN Tunnel set up via IPsec/IKE and if this GW

performs NAT on the VPN service data, you must configure the NAT traversal

function for IPsec/IKE. With this function, the IKE negotiation will not authenticate

the UDP port number. At the same time, traversal allows NAT GW discovery on the

VPN Tunnel. If a NAT GW is discovered, UDP encapsulation will be used in the

subsequent IPsec data transmission, i.e., encapsulating IPsec packets in the UDP

Encrypted IP packet

TCP/UDP

IPSec

TCP/UDP

IPSec

IKE IKE

SA SA

SA negotiation

Encrypted IP packet

TCP/UDP

IPSec

TCP/UDP

IPSec

IKE IKE

SA SA

SA negotiation

Switch 8800 B

Switch 8800 A