In terms of performance, the generation of the Diffie-Hellman Key is slow and heavy. Key material (random bits and other mathematical data) as well as an agreement on methods for IKE phase II are exchanged between the peers.
The nature of the Diffie-Hellman protocol means that both sides can independently create the shared secret, a key which is known only to the peers. (More authentication methods are available when one of the peers is a remote access client.) The peers authenticate, either by certificates or via a pre-shared secret.Since the IPsec symmetrical keys are derived from this DH key shared between the peers, at no point are symmetric keys actually exchanged. The Diffie-Hellman algorithm builds an encryption key known as a "shared secret" from the private key of one party and the public key of the other. Both IKEv1 and IKEv2 are supported in Security Gateways of version R71 and higher.ĭiffie-Hellman (DH) is that part of the IKE protocol used for exchanging the material from which the symmetrical keys are built. The first phase lays the foundations for the second. For this reason, IKE is composed of two phases. This agreement upon keys and methods of encryption must also be performed securely. The outcome of an IKE negotiation is a Security Association (SA). IKE builds the VPN tunnel by authenticating both sides and reaching an agreement on methods of encryption and integrity. This key then encrypts and decrypts the regular IP packets used in the bulk transfer of data between VPN peers. The goal of the Internet Key Exchange (IKE) is for both sides to independently produce the same symmetrical key. Information can be securely exchanged only if the key belongs exclusively to the communicating parties. The material used to build these keys must be exchanged in a secure fashion. In symmetric cryptographic systems, both communicating parties use the same key for encryption and decryption.