Specifications
Authentication Using Certificates
AVM Access Server – 5 AVM Access Server Concepts and Functional Principles 91
IKE Phase 2
The goal of IKE Phase 2 is to negotiate the SAs for the encryption of ac-
tual user data. This negotiation is itself encrypted based on the SA that
was negotiated in Phase 1. The following parameters are negotiated:
the IPsec transport protocol (AH and/or ESP)
the encryption algorithm for user data transmitted over the VPN
connection
The AVM Access Server provides the encryption algorithms DES,
3DES and AES for this purpose. AES is the most advanced and the
most secure of these algorithms, and supports key lengths of up
to 256 bits.
the hash algorithm used to ensure the integrity of the user data
the IPsec operating mode (Tunnel or Transport Mode)
the lifetime of the SA
the random key material for the encryption and authentication
algorithm
Once IKE negotiation has been completed, secure IPsec communica-
tion begins.
Authentication Using Certificates
Authentication in IKE Phase 1 can be performed using digital certifi-
cates. The AVM Access Server allows the administrator to create local
certification authorities for this purpose.
Certificates
A certificate in the conventional sense is a document that certifies that
a person has certain qualities. Certificates are issued and signed by
generally recognized and trusted authorities. Such an authority might
be a public agency, a company, or another kind of institution.
Digital Certificates
A digital certificate is a digital document that can be used to confirm
the authenticity of digital signatures. Asymmetrical encryption tech-
niques are used to generate and certify such a signature. A digital cer-
tificate is issued and signed by a trusted institution called a certifica-
tion authority (CA).