Now that you know a little more about how the VPN negotiation takes place, let’s drill down into a detailed discussion and break down the individual components of Phase 1 IKE negotiation.
A few pages back you learned about Diffie-Hellman at the initial stages of a Phase 1 IKE negotiation, but Diffie-Hellman only provides the ability to establish a secure channel over which two parties can communicate—it does not actually authenticate the other VPN peer. This is where IKE authentication is used to ensure that the other party is authorized to establish the VPN. The details of Diffie-Hellman authentication are beyond the scope of this book; there is an abundance of information available on the Internet, including on Wikipedia (http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange).
IKE authentication comes in two forms: preshared key (password) and certificate authentication.
The most common way to establish a VPN connection is to use preshared keys, which is essentially a password that is the same for both parties. This password must be exchanged in advance in some out-of-band mechanism, such as over the phone, via a verbal exchange, or via less secure mechanisms, even email. The parties then authenticate each other by encrypting the preshared key with the peer’s public key, which was obtained in the Diffie-Hellman exchange.
Preshared keys are commonly deployed for site-to-site IPsec VPNs, either within a single ...