Product specifications
Efficient Networks
®
Router family
Technical Reference Guide
Chapter 5: System Security
Efficient Networks
®
Page 5-53
Because VPN users are likely to be using a variety of protocols, a common set of
security attributes must be negotiated at the beginning of any tunnel session. Phase 1
IKE is responsible for negotiating these security attributes and establishing peer
identities. A secure tunnel for the exchange of encryption keys is also created during
this phase. Phase 2 IKE then exchanges proposals for IPSec security attributes,
generates the encryption keys and sets up IPSec Security Associations (SAs) for
moving user data.
Figure 5-5: ESP and AH Security
Figure 5-6: IKE Management
New IP
Header
ESP
Header
Original IP
Header
Rest of original IP packet
(headers and data)
ESP Authen-
tication
ESP
Trailer
Encrypted
Authenticated
New IP
Header
AH
Header
Original IP
Header
Rest of original IP packet
(headers and data)
Authenticated
ESP Protocol:
AH Protocol:
Phase 1 IKE:
Router
Who are you?
Router
Security attributes?
Router
Peer identities
Proposals
Secure tunnel
Phase 2 IKE:
Router
Router
Router
Router
Router
Key generation
Encryption keys?
IPSec Proposals
Key exchange
Router
Router
Data flow
IPSec Security Associations
Router
Router
Security attributes?