Internet Key Exchange

The Internet Key Exchange is the protocol used to set up a security association (SA) in IPsec. The firewall supports IKE as defined in RFC 2409.

The key exchange is comprised of the following phases:
  • Authentication (phase 1). During phase 1, the peers authenticate themselves using a preshared key or digital certificate. A secure, authenticated communication channel is created using the Diffie–Hellman algorithm to generate a shared secret key to encrypt further communications. This negotiation results in session keys and a security association.
  • Key exchange (phase 2). In phase 2, the peers use the security channel established in phase 1 to negotiate an IPsec security association. The keying material for this association is created using the IKE phase 1 keys or by performing a new key exchange according to the PFS settings. This association encrypts the actual user data that is passed between the peers.

Diffie–Hellman key exchange

The Diffie–Hellman key exchange is a method of securely exchanging cryptographic keys over an insecure channel. The Diffie–Hellman algorithm was created to prevent secure encrypted keys from being attacked over the internet during transmission. Using the Diffie–Hellman key exchange with an authentication algorithm ensures protection against spoofing and man-in-the-middle attacks.

Perfect Forward Secrecy

Perfect Forward Secrecy (PFS) is a method for deriving phase 2 keys independent from and unrelated to the preceding keys. When you specify PFS, a new key will be generated for every negotiation and a new DH key exchange is included. PFS offers improved security as it requires a network intruder to crack an additional key.