01:198:352 Lecture Notes - Lecture 25: Ipsec, Internet Security Association And Key Management Protocol, Shared Secret
Document Summary
Previous examples use manual establishment of ipsec sas in ipsec endpoints. Manual keying is impractical for vpn with 100s of endpoints. Run ike to authenticate each other and to generate ipsec sas, including encryption, authentication keys. Pki: both sides start with public/private key pair, certificate. Run ike to authenticate each other, obtain ipsec sas. Phase 2: isakmp is used to securely negotiate ipsec pair of sas. Phase 1 has two nodes: aggressive mode and main mode. Main mode provides identity protection and is more flexible. Ike message exchange for algorithms, secret keys, spi numbers. Ipsec peers can be two end systems, two routers/firewalls, or a router/firewall and an end system. Combine each byte of keystream with byte of plaintext to get ciphertext: c(i) = ith unit of ciphertext. Ks(i) = ith unit of keystream c(i) = ks(i) m(i) Uses authentication server separate from access point. Eap: end-end client to authentication server protocol.