User guide
Chapter 4. Configuring Special Features 121
The following figure shows the transformed IP packet after the ESP or AH protocol has been applied in tunnel
mode.
IKE Management
Internet Key Exchange (IKE) management makes encryption key exchange practical, even in large networks
where there are many unknown intermediate links between sending and receiving nodes. Unlike protocols that
allow only one key exchange per session, IKE can generate and transfer multiple keys between peers during a
single tunnel session. Users may specify the duration for which keys are valid. This dynamic type of Diffie-
Hellman key exchange greatly reduces the chances of a network attacker finding an entry into a tunnel.
Because VPN users are likely to be using a variety of protocols, a common set of security attributes must be
negotiated at the beginning of any tunnel session. Phase 1 IKE is responsible for negotiating these security
attributes and establishing peer identities. A secure tunnel for the exchange of encryption keys is also created
during this phase. Phase 2 IKE then exchanges proposals for IPSec security attributes, generates the encryption
keys and sets up IPSec Security Associations (SAs) for moving user data.
New IP
Header
ESP
Header
Original IP
Header
Rest of original IP packet
(headers and data)
ESP Authen-
tication
ESP
Trailer
Encrypted
Authenticated
New IP
Header
AH
Header
Original IP
Header
Rest of original IP packet
(headers and data)
Authenticated
ESP Protocol:
AH Protocol:
Phase 1 IKE:
Router
Who are you?
Router
Security attributes?
Router
Peer identities
Proposals
Secure tunnel
Phase 2 IKE:
Router
Router
Router
Router
Router
Key generation
Encryption keys?
IPSec Proposals
Key exchange
Router
Router
Data flow
IPSec Security Associations
Router
Router
Security attributes?