Netopia 3300-ENT - page 127

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-1

CChh

hhaa

aapp

pptt

ttee

eerr

rr 55

IIII nn

nntt

ttee

eerr

rrnn

nnee

eett

tt KK

KKee

eeyy

yy EE

EExx

xxcc

cc hh

hhaa

aann

nngg

ggee

ee ((

((IIIIKK

KKEE

EE))

)) IIIIPP

PPss

ssee

eecc

cc KK

KKee

eeyy

MMaa

aann

nnaa

aagg

ggee

eemm

mmee

eenn

nntt

tt ff

ff oo

oorr

rr VV

VVPP

PPNN

NN ss

IPsec stands for IP Security, a set of protocols that supports secure exchange of IP packets at the IP layer.

IPsec is deployed widely to implement Virtual Private Networks (VPNs). See “Virtual Private Networks (VPNs)”

on page 4-1 for more information.

The Netopia Firmware Version 8.4 supports Internet Key Exchange (IKE) for secure encrypted communication

over a VPN tunnel.

This chapter covers the following topics:

•“Overview” on page 5-1

•“Internet Key Exchange (IKE) Conﬁguration” on page 5-2

•“Key Management” on page 5-8

•“IPsec WAN Conﬁguration Screens” on page 5-18

•“IPsec Manual Key Entry” on page 5-19

Overview

IPsec supports two encapsulation modes: Transport and Tunnel. Transport mode encrypts only the data por tion

(payload) of each packet, but leaves the header untouched. Tunnel mode encrypts both the header and the

payload. On the receiving side, an IPsec-compliant device decrypts each packet. Netopia Routers support

Tunnel mode.

DES stands for Data Encryption Standard, a popular symmetric-key encryption method. DES uses a 56-bit key.

Netopia Routers offer IPsec 3DES (triple DES) encryption as a standard option.

Internet Key Exchange (IKE) is an authentication and encryption key management protocol used in conjunction

with the IPsec standard.

IKE is a two-phase protocol for key exchange.

•Phase 1 authenticates the security gateways and establishes the Security Parameters (SPs) they will use

to negotiate on behalf of the clients. Security Associations (SAs) are sets of information values that allow

the two devices on the Internet to communicate securely.

•Phase 2 establishes the tunnel and provides for secure transport of data.

IPsec can be conﬁgured without IKE, but IKE offers additional features, ﬂexibility, and ease of conﬁguration. Key

exchange between your local Router and a remote point can be conﬁgured either manually or by using the key

exchange protocol.