Tunnel considerations

Edit online

You should consider several things before deciding which type of tunnel to use for IP security.

IKE tunnels differ from manual tunnels because the configuration of security policies is a separate process from defining tunnel endpoints.

In IKE, there is a two-step negotiation process. Each step of the negotiation process is called a phase, and each phase can have separate security policies.

When the Internet Key negotiation starts, it must set up a secure channel for the negotiations. This is known as the key management phase or phase 1. During this phase, each party uses preshared keys or digital certificates to authenticate the other and pass ID information. This phase sets up a security association during which the two parties determine how they plan to communicate securely and then which protections are to be used to communicate during the second phase. The result of this phase is an IKE or phase 1 tunnel.

The second phase is known as the data management phase or phase 2 and uses the IKE tunnel to create the security associations for AH and ESP that actually protect traffic. The second phase also determines the data that will be using the IP Security tunnel. For example, it can specify the following:

  • A subnet mask
  • An address range
  • A protocol and port number combination
Figure 1. IKE Tunnel Setup Process
This illustration shows the two-step, two-phase process for setting up an IKE tunnel.
Note: IKEv2 also has two phases. The first phase is known as the IKE SA phase or phase 1. The second phase is known as the CHILD SA phase or phase 2 . Unlike the way tunnels are established in IKEv1, when a phase 1 tunnel is established in IKEv2, a phase 2 tunnel is automatically activated. The configuration of IKEv2 tunnels is similar to configuration of IKEv1 tunnels.

In many cases, the endpoints of the key management (IKE) tunnel will be the same as the endpoints of the data management (IP Security) tunnel. The IKE tunnel endpoints are the IDs of the machines carrying out the negotiation. The IP Security tunnel endpoints describe the type of traffic that will use the IP Security tunnel. For simple host-to-host tunnels, in which all traffic between two tunnels is protected with the same tunnel, the phase 1 and phase 2 tunnel endpoints are the same. When negotiating parties are two gateways, the IKE tunnel endpoints are the two gateways, and the IP Security tunnel endpoints are the machines or subnets (behind the gateways) or the range of addresses (behind the gateways) of the tunnel users.