Specifications
136 Chapter 5. Configuring Software Options
The following figure shows the transformed IP packet after the ESP or AH protocol has been applied in tunnel
mode.
IKE Management
Internet Key Exchange (IKE) management makes encryption key exchange practical, even in large networks
where there are many unknown intermediate links between sending and receiving nodes. Unlike protocols that
allow only one key exchange per session, IKE can generate and transfer multiple keys between peers during a
single tunnel session. Users may specify the duration for which keys are valid. This dynamic type of Diffie-
Hellman key exchange greatly reduces the chances of a network attacker finding an entry into a tunnel.
If you wish, you may also select Perfect Forward Secrecy (PFS) to increase the security of the key exchange. PFS
ensures that the compromise of a single key permits access to only data protected by that particular key. However,
PFS requires use of a Diffie-Hellman group for each rekey, adding overhead to the process and causing IKE to run
more slowly. Thus, PFS is not always desirable.
Because VPN users are likely to be using a variety of protocols, a common set of security attributes must be
negotiated at the beginning of any tunnel session. Phase 1 IKE is responsible for negotiating these security
attributes and establishing peer identities. A secure tunnel for the exchange of encryption keys is also created
New IP
Header
ESP
Header
Original IP
Header
Rest of original IP packet
(headers and data)
ESP Authen-
tication
ESP
Trailer
Encrypted
Authenticated
New IP
Header
AH
Header
Original IP
Header
Rest of original IP packet
(headers and data)
Authenticated
ESP Protocol:
AH Protocol: