First off, note that Checkpoint's naming of encryption mechanisms is confusing. IKE is not an encryption or VPN protocol. It's a protocol for host authentication, negotiation of security parameters for an encrypted connection, and key generation and exchange. What Checkpoint really means is "IPsec VPN with dynamic key exchange." End rant. IKE consists of two phases. Phase One includes verification of the identities of the local and remote systems (via pre- shared secrets or certificates) and negotiation of the security parameters for Phase Two. If Phase Two does >not< need to be encrypted, then the Phase One exchange is called "IKE Aggressive Mode." If Phase Two is required to use a secure channel, then session keys are generated in Phase One, and Phase One is called "IKE Main Mode." Main Mode is about three times slower than Aggressive mode because of the key generation step. The security parameters negotiated for the Phase Two connection are the IKE or ISAKMP Security Association. One the hosts are authenticated, then Phase Two (also known as "IKE Quick Mode") proceeds -- this is the piece that negotiates the security parameters for the actual IPsec connection, including IIPsec protocols (AH or ESP), lifetime of connection, encryption and hash algorithms, and the initial session key for the connection. Assuming that the hosts can agree on a common set of security parameters, once Quick Mode is complete, the IPsec connection goes live. This second set of parameters is the IPsec Security Association. You could >never< tell that I'm revising my USENIX VPN class! Hope that helps -- Tina Bird VPN List Moderator On Mon, 25 Jun 2001, [iso-8859-1] priya subramanian wrote: > Date: Mon, 25 Jun 2001 06:02:31 +0100 (BST) > From: "[iso-8859-1] priya subramanian" <pentestingat_private> > To: pen-testat_private > Subject: how IKE works in case of Checkpoint Firewall > > In my understanding IKE invloves two phases wherin the > DH keys and the CA keys are exchanged and a secret key > is derived for encryption. > > But when configuring IKE VPN in a checpoint firewall > we do exchenge any DH keys.. only a preshared secret > is directly given. This is really confusing. > > Could anyone elaborate on how exactly IKe encryption > works with Firewall-1 > > Regards > Priya > > ____________________________________________________________ > Do You Yahoo!? > For regular News updates go to http://in.news.yahoo.com > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com -------------------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Jun 26 2001 - 16:47:45 PDT