Netopia 4000-Series manual Internet Key Exchange IKE IPsec Key Management for VPNs

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-1

Chapter 5

Internet Key Exchange (IKE) IPsec Key Management for VPNs

IPsec stands for IP Security, a set of protocols that supports secure exchange of IP packets at the IP layer. IPsec is deployed widely to implement Virtual Private Networks (VPNs). See “Virtual Private Networks (VPNs)” on page 4-1for more information.

The Version 5.3 firmware supports Internet Key Exchange (IKE) for secure encrypted communication over a VPN tunnel.

This chapter covers the following topics:

■“Overview” on page 5-1

■“Internet Key Exchange (IKE) Configuration” on page 5-2

■“Key Management” on page 5-9

■“IPsec WAN Configuration Screens” on page 5-18

■“IPsec Manual Key Entry” on page 5-19

Overview

IPsec supports two encapsulation modes: Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. Tunnel mode encrypts both the header and the payload. On the receiving side, an IPsec-compliant device decrypts each packet. Netopia Routers support Tunnel mode.

DES stands for Data Encryption Standard, a popular symmetric-key encryption method. DES uses a 56-bit key. Netopia Routers offer IPsec 3DES (triple DES) encryption as a standard option.

Note: Some models support built-in hardware acceleration of 3DES encryption at line speeds. The optional VPN-accelerated models (all 4652 models and 4522 routers whose model number ends in “-XL”) accelerate IPsec encryption and authentication.

Internet Key Exchange (IKE) is an authentication and encryption key management protocol used in conjunction with the IPsec standard.

IKE is a two-phase protocol for key exchange.

■Phase 1 authenticates the security gateways and establishes the Security Parameters (SPs) they will use to negotiate on behalf of the clients. Security Associations (SAs) are sets of information values that allow