User`s guide

Chapter 10 IPSec VPN Config Screens

LAN-Cell 2 User’s Guide

244

10.11 IPSec VPN Technical Reference

IKE SA Proposal

The IKE SA proposal is used to identify the encryption algorithm, authentication algorithm,

and Diffie-Hellman (DH) key group that the LAN-Cell and remote IPSec router use in the IKE

SA. In main mode, this is done in steps 1 and 2, as illustrated below.

Figure 148 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal

The LAN-Cell sends one or more proposals to the remote IPSec router. (In some devices, you

can set up only one proposal.) Each proposal consists of an encryption algorithm,

authentication algorithm, and DH key group that the LAN-Cell wants to use in the IKE SA.

The remote IPSec router selects an acceptable proposal and sends the accepted proposal back

to the LAN-Cell. If the remote IPSec router rejects all of the proposals (for example, if the

VPN tunnel is not configured correctly), the LAN-Cell and remote IPSec router cannot

establish an IKE SA.

" Both routers must use the same encryption algorithm, authentication

algorithm, and DH key group.

See the field descriptions for information about specific encryption algorithms, authentication

algorithms, and DH key groups. See Section on page 244 for more information about DH key

groups.

Diffie-Hellman (DH) Key Exchange

The LAN-Cell and the remote IPSec router use a DH key exchange to establish a shared

secret, which is used to generate encryption keys for IKE SA and IPSec SA. In main mode, the

DH key exchange is done in steps 3 and 4, as illustrated below.