D-Link DFL-2500 User Manual

method where IKE is not used at all; the encryption and authentication keys as well as some other
parameters are directly configured on both sides of the VPN tunnel.

Note

D-Link Firewalls do not support Manual Keying.

Manual Keying Advantages

Since it is very straightforward it will be quite interoperable. Most interoperability problems
encountered today are in IKE. Manual keying completely bypasses IKE and sets up its own set of
IPsec SAs.

Manual Keying Disadvantages

It is an old method, which was used before IKE came into use, and is thus lacking all the
functionality of IKE. This method therefore has a number of limitations, such as having to use the
same encryption/authentication key always, no anti-replay services, and it is not very flexible. There
is also no way of assuring that the remote host/firewall really is the one it says it is.

This type of connection is also vulnerable for something called "replay attacks", meaning a
malicious entity which has access to the encrypted traffic can record some packets, store them, and
send them to its destination at a later time. The destination VPN endpoint will have no way of
telling if this packet is a "replayed" packet or not. Using IKE eliminates this vulnerability.

PSK

Using a Pre-shared Key (PSK) is a method where the endpoints of the VPN "share" a secret key.
This is a service provided by IKE, and thus has all the advantages that come with it, making it far
more flexible than manual keying.

PSK Advantages

Pre-Shared Keying has a lot of advantages over manual keying. These include endpoint
authentication, which is what the PSKs are really for. It also includes all the benefits of using IKE.
Instead of using a fixed set of encryption keys, session keys will be used for a limited period of
time, where after a new set of session keys are used.

PSK Disadvantages

One thing that has to be considered when using Pre-Shared Keys is key distribution. How are the
Pre-Shared Keys distributed to remote VPN clients and firewalls? This is a major issue, since the
security of a PSK system is based on the PSKs being secret. Should one PSK be compromised, the
configuration will need to be changed to use a new PSK.

Certificates

Each VPN firewall has its own certificate, and one or more trusted root certificates.

The authentication is based on several things:

•

That each endpoint has the private key corresponding to the public key found in its certificate,
and that nobody else has access to the private key.

•

That the certificate has been signed by someone that the remote gateway trusts.

Certificate Advantages

Added flexibility. Many VPN clients, for instance, can be managed without having the same
pre-shared key configured on all of them, which is often the case when using pre-shared keys and

9.3.3. IKE Authentication

Chapter 9. VPN

246