Chapter 30 IPSec VPN
UAG Series User’s Guide
356
Figure 246
IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange
DH public-key cryptography is based on DH key groups. Each key group is a fixed number of bits
long. The longer the key, the more secure the encryption, but also the longer it takes to encrypt
and decrypt information. For example, DH2 keys (1024 bits) are more secure than DH1 keys (768
bits), but DH2 keys take longer to encrypt and decrypt.
Authentication
Before the UAG and remote IPSec router establish an IKE SA, they have to verify each other’s
identity. This process is based on pre-shared keys and router identities.
In main mode, the UAG and remote IPSec router authenticate each other in steps 5 and 6, as
illustrated below. The identities are also encrypted using the encryption algorithm and encryption
key the UAG and remote IPSec router selected in previous steps.
Figure 247
IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication (continued)
You have to create (and distribute) a pre-shared key. The UAG and remote IPSec router use it in
the authentication process, though it is not actually transmitted or exchanged.
Note: The UAG and the remote IPSec router must use the same pre-shared key.
Router identity consists of ID type and content. The ID type can be domain name, IP address, or e-
mail address, and the content is a (properly-formatted) domain name, IP address, or e-mail
address. The content is only used for identification. Any domain name or e-mail address that you
Diffie-Hellman key exchange
3
4
X
Y
Step 5:
pre-shared key
UAG identity, consisting of
- ID type
- content
Step 6:
pre-shared key
Remote IPSec router identity, consisting of
- ID type
- content
5
6
X
Y