beautypg.com

D-Link DFL-2500 User Manual

Page 242

background image

Authentication can be accomplished through Pre-Shared Keys, certificates or public key encryption.
Pre-Shared Keys is the most common authentication method today. PSK and certificates are
supported by the NetDefendOS VPN module.

IKE Phase-2 - IPsec Security Negotiation

In phase two, another negotiation is performed, detailing the parameters for the IPsec connection.

In phase-2 we will also extract new keying material from the Diffie-Hellman key exchange in
phase-1, to provide session keys to use in protecting the VPN data flow.

If PFS, Perfect Forwarding Secrecy, is used, a new Diffie-Hellman exchange is performed for each
phase-2 negotiation. While this is slower, it makes sure that no keys are dependent on any other
previously used keys; no keys are extracted from the same initial keying material. This is to make
sure that, in the unlikely event that some key was compromised, no subsequent keys can be derived.

Once the phase-2 negotiation is finished, the VPN connection is established and ready for use.

IKE Parameters

There are a number of parameters used in the negotiation process.

Below is a summary of the configuration parameters needed to establish a VPN connection.
Understanding what these parameters do before attempting to configure the VPN endpoints is highly
recommended, since it is of great importance that both endpoints are able to agree on all of these
parameters.

When installing two D-Link Firewalls as VPN endpoints, this process is reduced to comparing fields
in two identical dialog boxes. However, it is not quite as easy when equipment from different
vendors is involved.

Endpoint Identification

The Local ID is a piece of data representing the identity of the
VPN gateway. With Pre-Shared Keys this is a unique piece of
data uniquely identifying the tunnel endpoint.

Authentication using Pre-Shared Keys is based on the
Diffie-Hellman algorithm.

Local and Remote
Networks/Hosts

These are the subnets or hosts between which IP traffic will
be protected by the VPN. In a LAN-to-LAN connection, these
will be the network addresses of the respective LANs.

If roaming clients are used, the remote network will most
likely be set to all-nets, meaning that the roaming client may
connect from anywhere.

Tunnel / Transport Mode

IPsec can be used in two modes, tunnel or transport.

Tunnel mode indicates that the traffic will be tunneled to a
remote device, which will decrypt/authenticate the data,
extract it from its tunnel and pass it on to its final destination.
This way, an eavesdropper will only see encrypted traffic
going from one of VPN endpoint to another.

In transport mode, the traffic will not be tunneled, and is
hence not applicable to VPN tunnels. It can be used to secure
a connection from a VPN client directly to the D-Link
Firewall,

for

example

for

IPsec

protected

remote

configuration.

This setting will typically be set to "tunnel" in most

9.3.2. Internet Key Exchange (IKE)

Chapter 9. VPN

242