LANCOM Reference Manual LCOS 3.50 ̈ Chapter 14: Virtual Private Networks—VPN
336
Virtual Private Networks—
VPN
ብ In two further messages, the devices exchange their public keys for Diffie-
Hellman. The further communication is encrypted with Diffie-Hellman.
ቦ Both ends use numbers that have been transferred (with the Diffie-
Hellman method) and the Shared Secret to generate a common secret key
that is used to encrypt the subsequent communication. Both sides
additionally authenticate their Shared Secrets by using hash codes. Phase
1 of the SA setup is thus completed.
ቧ Phase 2 is based on the encrypted and authenticated connection
established in Phase 1. In Phase 2, the session keys for the authentication
and symmetrical encryption of the actual data transfer are generated at
random and transferred.
Symmetrical processes are used for the encryption of the actual data
transfer. Asymmetrical processes (also known as public-key
encryption) are more secure as they do not require the exchange of
secret keys. However, they require considerable processing resources
and are thus significantly slower than symmetrical processes. In
practice, public-key encryption is generally only used for the exchange
of key material. The actual data encryption is then performed using
the fast symmetrical process.
The regular exchange of new keys
ISAKMP ensures that new key material is regularly exchanged between the
two devices during the SA. This takes place automatically and can be checked
using the 'Lifetime' setting in the advanced configuration of LANconfig.