Manualshelf

TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
531532533534535536537538539540
7-15
Virtual Private Networks
IPsec Concepts
The remote endpoint searches its IKE policies for one that specifies the other
endpoint and that includes an identical security proposal. When it finds a
match, the remote endpoint returns these security parameters to the original
endpoint.
If the remote endpoint cannot find a match, the VPN connection fails. This is
why it is very important that you match IKE policies at both ends of the
connection.
Exchange 2: Key generation. You will recall that an SA specifies authenti-
cation and encryption keys for transforming traffic. When you use IKE, you
only need to configure algorithms, which IKE negotiates in the first exchange.
Using the Diffie-Hellman Key Agreement Protocol, IKE generates the actual
keys for you during in the second exchange of IKE phase 1. This protocol is a
secure method for generating unique, shared keys without sending them over
the connection and thus rendering them vulnerable to interception.
Figure 7-4. IKE Phase 1: Key Generation Exchange
The final IKE phase 1 exchange and all IKE phase 2 exchanges will be secured
by these keys. In this way, IKE provides an additional layer of security;
endpoints transmit their authentication information in secured packets, and
secured packets negotiate the IPsec SA itself.
Exchange 3: Authentication.
In the third IKE phase 1 exchange, the tunnel
endpoints authenticate each other according to the method agreed upon in the first
exchange.
The method can be:
A preshared key—The endpoints exchange a password, which is known
by both.