Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
511512513514515516517518519520
7-13
Virtual Private Networks
IPsec Concepts
IKE version 1
IKEv1 follows a set process to negotiate the IPsec SA and passes through two
phases. The first phase establishes a preliminary tunnel, or IKE SA. The second
phase establishes the IPsec SA. When you understand this process, you will
find it much easier to configure VPNs on your TMS zl Module.
IKE Phase 1
During phase 1, IKE must complete three tasks:
Negotiate security parameters for the IKE SA
Generate the keys used to secure data sent over the IKE SA
Authenticate the endpoints of the tunnel (the two hosts)
Therefor, IKE phase 1 typically involves three exchanges between hosts, or
six total messages.
Exchange 1: Security parameters. In the first exchange, the endpoint that
initiates the VPN connection sends a message to the remote endpoint with one
or more security proposals. Each proposal includes one of the options for
these parameters:
Authentication algorithm:
•MD5
•SHA-1
Encryption algorithm:
•DES
•3DES
AES with 128, 192, or 256-bit keys
Authentication method:
Preshared key
Certificates (Digital Signature Algorithm [DSA] or Rivest-Shamir-
Adleman [RSA] Signature)
Diffie-Hellman group:
Group 1 (768)
Group 2 (1024)
Group 5 (1536)
SA lifetime in seconds
Other parameters such as whether XAUTH is required or NAT-T is sup-
ported