Specifications
Negotiation
AVM Access Server – 5 AVM Access Server Concepts and Functional Principles 89
Negotiation
Many combinations of encryption and authentication parameters are
possible in VPN connections. When establishing a secure VPN connec-
tion, the communicating parties must agree on the parameters they
want to use.
Negotiation of the connection parameters requires another protocol,
called Internet Key Exchange (IKE). The agreed parameters determined
by IKE negotiation are stored in a Security Association (SA). The SA de-
fines:
the type of authentication used (certificates, a pre-shared key or
another method)
the encryption algorithm used
the hash algorithm used
the duration of validity, or “lifetime”, of the SA
SAs are security policies with a limited period of validity. When the life-
time of an SA has elapsed, a new SA must be negotiated. A separate SA
is negotiated for each direction of communication. IKE negotiation
takes place in two phases. A separate security policy must be defined
for each phase. IKE Phase 1 serves to negotiate an IKE SA, which is ap-
plied in IKE Phase 2 to negotiate the IPsec SA.
Security policies are possible SAs proposed by the Access Server to the
remote system. If the remote system accepts the proposal, then an SA
is established between the negotiating parties. A proposal must
include settings for all parameters of the given IKE phase. For this rea-
son, compatible security policies must be configured on the two con-
necting systems. The policies are designated using a special notation
which is described in detail in the chapter “AVM Access Server for Ex-
perts” from page 100.
When a VPN connection is active, the SAs in effect are shown in the Ac-
cess Server’s Monitoring View. Click “Connection control” in the object
tree with the right mouse button, and select “Properties” in the context
menu. The active SAs are shown on the “VPN SAs” dialog page.