Vpn tunnel – NETGEAR ProSafe FVS124G User Manual

Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports

Virtual Private Networking

D-9

202-10085-01, March 2005

Figure 9-8: VPN Tunnel SA

The SA contains all the information necessary for gateway A to negotiate a secure and encrypted
communication stream with gateway B. This communication is often referred to as a “tunnel.” The
gateways contain this information so that it does not have to be loaded onto every computer
connected to the gateways.

Each gateway must negotiate its Security Association with another gateway using the parameters
and processes established by IPSec. As illustrated below, the most common method of
accomplishing this process is via the Internet Key Exchange (IKE) protocol which automates some
of the negotiation procedures. Alternatively, you can configure your gateways using manual key
exchange, which involves manually configuring each paramter on both gateways.

Figure 9-9: IPSec SA negotiation

1. The IPSec software on Host A initiates the IPSec process in an attempt to communicate

with Host B. The two computers then begin the Internet Key Exchange (IKE) process.

VPN Gateway A

VPN Gateway B

VPN Tunnel

VPN Gateway

VPN Gateway

1) Communication

request sent to VPN Gateway

2) IKE Phase I authentication

3) IKE Phase II negotiation

4) Secure data transfer

5) IPSec tunnel termination

IPSec Security Association IKE

VPN Tunnel Negotiation Steps