Specifications
VPN and the IPsec Protocol
AVM Access Server – 6 AVM Access Server for Experts 109
The identities (IDs) exchanged in IKE Phase 1 can be:
user fully qualified domain name (User FQDN)
fully qualified domain name (FQDN)
Key ID
IP host address
IP network address with subnet mask
IP address range
For remote users, the configured user name is accepted as User FQDN,
FQDN and Key ID. For remote networks, all of the identity types listed
above are configurable. If the identity is set to “automatic”, the ID is
derived as follows:
If the Access Server is connected to the Internet through a LAN
adapter (or through AVM KEN!, since KEN! acts as a network adap-
ter in the system), then the IP address of the given network adap-
ter is used as the local identity.
If the AVM Access Server manages the Internet connection itself,
then the IP address assigned to it by the Internet Service Provider
is used as the local identity. If a dynamic DNS provider is used,
then the dynamic DNS domain name is used as the identity, and
the identity type is FQDN.
For VPN connections to remote networks, the remote identity is
expected to be the contents of the “Remote VPN gateway” setting,
i.e. either the IP address of the remote VPN gateway or its host
and domain name.
All ID settings can be selected manually.
IKE Phase 2 is aimed at negotiating the SAs for securing user data. The
SAs resulting from Phase 2 mainly specify:
whether data is encrypted over the link (using Encapsulated Secu-
rity Payload) and which encryption algorithm is used.
whether a hash digest of the entire packet (Authentication Head-
er) is added, and which hash algorithm is used.
whether payload data is compressed (IPComp) and which com-
pression method is used.