I believe Diffie-Hellman is used to protect the initial key exchanges (IKE).
IKE in turn is not necessary, but enhances the way IPSEC works. For
instance, IKE automatically negotiates SAs for IPSec, which eliminates the
need to manually configure all the IPSec security parameters. It also
facilitates dynamic change of encryption keys during IPSec sessions. There's
also scalability issue, etc.
Unless you have any compelling reasons for not using IKE, my advice is to
configure an ISAKMP Policy, and you are done with it.
CM
> -----Original Message-----
> From: Rick Holden [mailto:[EMAIL PROTECTED]]
> Sent: 31 May 2001 01:26
> To: [EMAIL PROTECTED]
> Subject: VPN Diffie-Hellmen [7:6539]
>
>
> I am a little confused why Diffie-Hellmen's key exchange is
> needed for IKE.
> When I setup ISAKMP, regardless of the authentication I am
> using I need to
> supple a key weather pre-share, public/private, or RSA sig.
> If this is the
> case why can't the two VPN peer just use this key for setting
> up the VPN
> tunnel or vice versa why can't Diffie-Hellmen's key exchange
> be used instead
> of the ISAKMP keys. I hope my question is clear. It just seems
> Diffie-Hellmen is used to create secret keys and I have to
> create secret key
> myself to setup IKE.
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=6584&t=6539
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
