| Internet Key Exchange | |||
|---|---|---|---|
| IKE Version 1 | |||
| Phase 1 |
DH use group 1,2,5,12,19,20,24 for longer/stronger/ number of bit Pre-shared key Private Keys ( exchange using PKI ) 3. Use the encrypted communication channel 4. Send IKE identification to authenticate itself
| ||
| Phase 2 | Generate Symmetrical Encryption Key ESP Encryption Algorithm ( 3DES/AES ) AH Authentication Algorithm ( MD5/SHA1/SHA2) VPN protocol : ESP(+AH) or AH Mode the VPN use: Tunnel or Transport Mode | ||
| IKE Version 2 | |||
IKE-SA-INIT IKE-AUTH CREATE_CHILD_SA INFORMATIONAL
| |||
| Tunnel Mode ( most used ) |
| ||
| Transport Mode | encapsulation of layer 4 of the original packet
| ||
PKI or Public Key Infrastructure Large Network Stronger Auth Security | Exchange of Asymmetrical Keys ( Private and Public ) Private key use to decrypt RA: Registration Authority VA: Validation Authority CA: Certification Authority
| ||
| Digital certificate: | Based on X.509 Information: Issuer / ID Serial Number Expiration dates / Validity Digital signature ( from the Certificate Authority)
| ||
| Finger Print | File ( or Transaction) → hashed | ||
| hashing | MD5 , SHA1, SHA2 At the source: file / text / .... → hashing Algo → hashed value / string On the other side: password ( or text ) → same hashing Algo → produce the same hashed value/ string compare the two hash Hash lose information, and can not restore the original information | Encryption that use Asymmetrical Key | Encryption that use symmetrical Key |
| IKE Identification | IP Address Hostname User FQDN Distinguished name IKE-ID | ||
| SRX VPN Type | Policy-Based VPN Policy: from Route-Based VPN | ||
| NAT-Transversal | Modem/FW using source-NAT → will modify source IP@ and Source TCP/UDP port ( upstream traffic ) Consequence the Hash is invalid! → Solution: Encapsulate and de-capsulate the traffic into UDP/4500 ( instead of IKE negotiation UDP/500 ) |
Page Comparison
General
Content
Integrations