Section 35.1.2, Sections 35.1.2 – Westermo RedFox Series User Manual
Page 792
Westermo OS Management Guide
Version 4.17.0-0
35.1.2
Authenticated Keying using Internet Key Exchange (IKE)
As part of the IPsec VPN tunnel establishment Alice and Bob will use the IKE (In-
ternet Key Exchange) protocol to authenticate each other and create necessary
session keys to protect the data traffic. WeOS supports IKE version 1 (IKEv1)
with authentication through pre-shared keys (PSK) or certificates (RSA signature
keys using X.509 certificates). In IKEv1 there are two authentication handshakes
(phase-1 and phase-2):
❼ IKE phase-1 handshake: In this document the IKE phase-1 handshake is sim-
ply referred to as the IKE handshake. In the IKE handshake Alice and Bob
identify themselves and use their configured PSK or certificates to authen-
ticate each other. When configuring an IPsec tunnel, the identities of the
peers should be defined. Five methods are provided:
– Distinguished name (ID_DER_ASN1_DN): (Only applicable for certificate
based authentication). The distinguished name (DN) of an X.509 certifi-
cate, e.g.,
”/C=US/O=ACME/CN=foobar” can be used as identification. The DN
string can also be specified in LDAP style (e.g., ”C=US, O=ACME, CN=foobar”).
The responder would typically use wild-card (e.g., ”C=US, O=ACME,
CN=*”) to allow multiple road-warriors to establish tunnel sessions via
a single tunnel configuration.
– IP Address (ID_IPV4_ADDR): If the IP address of the peer is known, it
can be used to identify it. When using main mode with PSK (main and
aggressive modes are explained later in this section) this is the only op-
tion. When using IP address as IKE identity, WeOS allows you to specify
either an IP address or a domain name, which is then resolved via DNS.
– Domain name (ID_FQDN): The identification can be specified as the do-
main name of the peer. When specifying type ”domain name”, the
entered identity value (e.g., foobar.example.com) is sent as is, i.e., it is
not resolved to an IP address. Therefore, the domain name identifica-
tion type could be used as a general user name, such as foobar.
– Email style (ID_USER_FQDN): The identification can be specified in email
address style, e.g., [email protected].
– Key identification (ID_KEY_ID): (Only applicable for PSK based authen-
tication) With the key identification type, the identification can be en-
tered as an opaque byte stream. As with the domain name type, the
key identification type can be used to enter a general user name, such
792
➞ 2015 Westermo Teleindustri AB