Key management | IPSec VPN |
|
|
Key management
There are three basic elements in any encryption system:
•an algorithm that changes information into code,
•a cryptographic key that serves as a secret starting point for the algorithm,
•a management system to control the key.
IPSec provides two ways to handle key exchange and management:
•Manual Keys
•Automatic Internet Key Exchange (AutoIKE) with
Manual Keys
When using manual keys, matching security settings must be entered at both ends of the tunnel. These settings, which include both the encryption and authentication keys, must be kept secret so that unauthorized parties cannot decrypt the data, even if they know which encryption algorithm is being used.
Automatic Internet Key Exchange (AutoIKE) with
For using multiple tunnels, an automated system of key management is required.
IPSec supports the automated generation and negotiation of keys using the Internet
Key Exchange protocol. This method of key management is referred to as AutoIKE.
Fortinet supports AutoIKE with
AutoIKE with pre-shared keys
If both peers in a session are configured with the same
AutoIKE with certificates
This method of key management involves a trusted third party, the certificate authority (CA). Each peer in a VPN is first required to generate a set of keys, known as a public/private key pair. The CA signs the public key for each peer, creating a signed digital certificate. The peer then contacts the CA to retrieve their own certificates, plus that of the CA. After the certificates are uploaded to the FortiGate units and appropriate IPSec tunnels and policies are configured, the peers are ready to communicate. As they do, IKE manages the exchange of certificates, sending signed digital certificates from one peer to another. The signed digital certificates are validated by the presence of the CA certificate at each end. With authentication complete, the IPSec tunnel is then established.
232 | Fortinet Inc. |
