HPE Community
Operating System - Linux
1824488 Members
3412 Online
109672 Solutions
New Discussion

FOR ipsec, does manual Key is the key-exchange-way other than IKE or the special mode of IKE

 
SOLVED
Go to solution
frederick van tagero
Advisor

‎07-03-2003 02:05 AM

‎07-03-2003 02:05 AM

FOR ipsec, does manual Key is the key-exchange-way other than IKE or the special mode of IKE

July 03, 2003 10:00 AM GMT
I want to build a simplest IPsec use freeswan, and notice the option of keyexchage=ike is default and the oonly option. however, I remember there are much case only need preshare manual key.

so I doubt whether manual Key is the key-exchange-way other than IKE or the special mode of IKE.

or in other simply word, can IPsec/freeswan can work without IKE?

best regards,
Frederick van Targero
frederick van targero
0 Kudos
Reply
1 REPLY 1
Andrew Cowan
Honored Contributor

‎07-03-2003 09:08 PM

‎07-03-2003 09:08 PM

Solution

Re: FOR ipsec, does manual Key is the key-exchange-way other than IKE or the special mode of IKE

Hi Frederick,

The difference between IKE and "manual" key is that once a manual shared secret/key is setup, it will never change, unless you change it yourself. This is a problem since the longer that use use the same key, the higher the chances that an attacker can analyse your traffic, and work out what the key is, and thus decrypt your data. The other problem is that to change the key you have to find a way to transmit it securely to the other party, then stop/start the tunnel to install it.

With IKE you can either setup a shared-secret in exactly the same way as the manual tunnel, or use X.509 certificates to generate one for you. Which ever way you choose to do it IKE will automatically derive new session keys on a regular basis, thus anyone listening could not rely on the fact that any traffic they captured was encyphered with the same key.

I'm sorry that I don't know much about Freeswan but there is no simpler way to use IPSec than with a shared-key that is rotated by IKE.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.