Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Manual key and Automatic IKE

Status
Not open for further replies.
s2193988

s2193988

MIS
Aug 2, 2003
4
0
0
HK
Hi,

I have read through many document about the VPN IPSec staff, But I
really don't know the real different Manual Kay and Automatic IKE.
Both of them must pre-set something on the remote client such as
secret key or pre-shared key. the only different I can see is that the
pre-shared can be much shorter than the secret key.

Can anyone can tell me more about the main advantage of Automatic IKE
over Manual key?

Thanks
Raymond Chow
 
Sort by date Sort by votes
Hello,

I lifted this from the NetScreen Web Site, which provides a fairly good description of the differences.

The first concept is the difference between Manual Key VPN and Autokey VPN (more properly known as IKE or Internet Key Exchange) VPN. Both of these VPN types are under the IPSec umbrella, both use a KEY and both utilize SPIs (Security Parameters Index). In other words, both have a Security Association (SA). In fact, once traffic is passing between the two private networks, Manual Key and IKE are exactly the same. The difference is in the way the Key and SPI values are determined.



Autokey (IKE): When using IKE to build a VPN tunnel, the two ends of the tunnel need to somehow identify themselves to the other in order to have proof that the other side is legitimate and in order to exchange Keys and SPI pairs. In other words, before the tunnel comes up, the Key and the SPI pair is not yet known. These values are generated dynamically and somewhat randomly. The endpoints can identify themselves in several ways. The Netscreen uses one of the following ways.



E-Mail Address
Fully Qualified Domain Name
IP Address
PKI Certificate (Microsoft, Netscape, Entrust, Verisign) – This is the most secure method.


Besides having a way to identify themselves, the endpoints need a seed that can be used to help general the Key. This is typically called a “Pre-Shared Key”. This is some text that is entered on the end points and is the same on each end point. The IKE negotiation takes place in 2 phases.



Manual Key: In a Manual Key VPN, the administrator manually enters a value for the SPI and the Key (both in Hex). This is a much simpler, and much less secure method of bringing up an IPSec VPN tunnel
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
232
Sameer258
Sameer258
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
199
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
159
Nitta84
Nitta84
ttrsux
  • Locked
  • Question
Error opening IKE port 4500 on Interface outside
Replies
0
Views
118
ttrsux
ttrsux
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
73
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top