Amer Networks E5Web GUI User Manual

IPsec protocol used (ESP/AH/both) as well as the session keys used to encrypt/decrypt and/or
authenticate/verify the transmitted data.

An SA is unidirectional and relates to traffic flow in one direction only. For the bidirectional traffic
that is usually found in a VPN, there is therefore a need for more than one SA per connection. In
most cases, where only one of ESP or AH is used, two SAs will be created for each connection,
one describing the incoming traffic, and the other the outgoing. In cases where ESP and AH are
used in conjunction, four SAs will be created.

IKE Negotiation

The process of negotiating session parameters consists of a number of phases and modes. These
are described in detail in the below sections.

The flow of events can be summarized as follows:

IKE Phase-1

•

Negotiate how IKE should be protected

IKE Phase-2

•

Negotiate how IPsec should be protected

•

Derive some fresh keying material from the key exchange in phase-1, to
provide session keys to be used in the encryption and authentication of
the VPN data flow

IKE and IPsec Lifetimes

Both the IKE and the IPsec connections have limited lifetimes, described both in terms of time
(seconds), and data (kilobytes). These lifetimes prevent a connection from being used too long,
which is desirable from a crypto-analysis perspective.

The IPsec lifetime must be shorter than the IKE lifetime. The difference between the two must be
a minimum of 5 minutes. This allows for the IPsec connection to be re-keyed simply by
performing another phase-2 negotiation. There is no need to do another phase-1 negotiation
until the IKE lifetime has expired.

Lifetime Recommendations

It is recommended that the lifetime values are equal to or greater than the following values:

•

IKE lifetime - 600 seconds (10 minutes)

•

IPsec lifetime - 300 seconds (5 minutes)

If the administrator uses values which are less, cOS Core will accept them but a warning message
will be presented during the reconfiguration.

IKE Algorithm Proposals

An IKE algorithm proposal list is a suggestion of how to protect IPsec data flows. The VPN device
initiating an IPsec connection will send a list of the algorithms combinations it supports for
protecting the connection and it is then up to the device at the other end of the connection to
say which proposal is acceptable.

The responding VPN device, upon receiving the list of supported algorithms, will choose the
algorithm combination that best matches its own security policies, and reply by specifying which
member of the list it has chosen. If no mutually acceptable proposal can be found, the responder

Chapter 9: VPN

582