Chapter 30 IPSec VPN
UAG5100 User’s Guide
304
Figure 204
IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal
The UAG sends one or more proposals to the remote IPSec router. (In some devices, you can only
set up one proposal.) Each proposal consists of an encryption algorithm, authentication algorithm,
and DH key group that the UAG wants to use in the IKE SA. The remote IPSec router selects an
acceptable proposal and sends the accepted proposal back to the UAG. If the remote IPSec router
rejects all of the proposals, the UAG and remote IPSec router cannot establish an IKE SA.
Note: Both routers must use the same encryption algorithm, authentication algorithm,
and DH key group.
In most UAGs, you can select one of the following encryption algorithms for each proposal. The
algorithms are listed in order from weakest to strongest.
• Data Encryption Standard (DES) is a widely used method of data encryption. It applies a 56-bit
key to each 64-bit block of data.
• Triple DES (3DES) is a variant of DES. It iterates three times with three separate keys, effectively
tripling the strength of DES.
• Advanced Encryption Standard (AES) is a newer method of data encryption that also uses a
secret key. AES applies a 128-bit key to 128-bit blocks of data. It is faster than 3DES.
Some UAGs also offer stronger forms of AES that apply 192-bit or 256-bit keys to 128-bit blocks of
data.
In most UAGs, you can select one of the following authentication algorithms for each proposal. The
algorithms are listed in order from weakest to strongest.
• MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data.
• SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet data.
• SHA256 (Secure Hash Algorithm) produces a 256-bit digest to authenticate packet data.
• SHA512 (Secure Hash Algorithm) produces a 512-bit digest to authenticate packet data.
See
Diffie-Hellman (DH) Key Exchange on page 304
for more information about DH key groups.
Diffie-Hellman (DH) Key Exchange
The UAG and the remote IPSec router use DH public-key cryptography to establish a shared secret.
The shared secret is then used to generate encryption keys for the IKE SA and IPSec SA. In main
mode, this is done in steps 3 and 4, as illustrated next.
One or more proposals, each one consisting of:
- encryption algorithm
- authentication algorithm
- Diffie-Hellman key group
1
2
X
Y