User`s guide

ManualsBrandsProxicast ManualsComputer equipmentLAN-Cell 2

241

242

243

244

245

246

247

248

249

250

Chapter 10 IPSec VPN Config Screens

LAN-Cell 2 User’s Guide

247

" You must set up the certificates for the LAN-Cell and remote IPSec router

before you can use certificates in IKE SA. See Chapter 11 on page 255 for

more information about certificates.

Extended Authentication

Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to

connect to a single IPSec router. For example, this might be used with telecommuters.

Extended authentication occurs right after the authentication described in Section on page

245.

In extended authentication, one of the routers (the LAN-Cell or the remote IPSec router)

provides a user name and password to the other router, which uses a local user database and/or

an external server to verify the user name and password. If the user name or password is

wrong, the routers do not establish an IKE SA.

You can set up the LAN-Cell to provide a user name and password to the remote IPSec router,

or you can set up the LAN-Cell to check a user name and password that is provided by the

remote IPSec router.

Negotiation Mode

There are two negotiation modes: main mode and aggressive mode. Main mode provides

better security, while aggressive mode is faster.

Main mode takes six steps to establish an IKE SA.

Steps 1-2: The LAN-Cell sends its proposals to the remote IPSec router. The remote IPSec

router selects an acceptable proposal and sends it back to the LAN-Cell.

Steps 3-4: The LAN-Cell and the remote IPSec router participate in a Diffie-Hellman key

exchange, based on the accepted DH key group, to establish a shared secret.

Steps 5-6: Finally, the LAN-Cell and the remote IPSec router generate an encryption key from

the shared secret, encrypt their identities, and exchange their encrypted identity information

for authentication.

In contrast, aggressive mode only takes three steps to establish an IKE SA.

Step 1: The LAN-Cell sends its proposals to the remote IPSec router. It also starts the Diffie-

Hellman key exchange and sends its (unencrypted) identity to the remote IPSec router for

authentication.

Step 2: The remote IPSec router selects an acceptable proposal and sends it back to the LAN-

Cell. It also finishes the Diffie-Hellman key exchange, authenticates the LAN-Cell, and sends

its (unencrypted) identity to the LAN-Cell for authentication.

Step 3: The LAN-Cell authenticates the remote IPSec router and confirms that the IKE SA is

established.