42.4. IPSec connections

An IPSec connection is established in two phases using the Internet Key Exchange (IKE) protocol.

Phase 1: First, a secure connection is established (called ISAKMP SA or IKE SA). This connection is established via UDP port 500. If the system detects that one side is behind a NAT router, it switches to UDP port 4500. There are two connection setup modes: Main Mode and Aggressive Mode. Aggressive mode speeds up the connection setup by a few tenths of a second, but is easier to crack. The Intra2net system therefore only supports the more secure Main Mode.

Phase 2: The previously established secure connection is now used to negotiate the actual connection data and session keys (Quick Mode). If this is successful, a IPSec SA is configured and can then be used to transmit encrypted data.

For security reasons, both phases of the connection have a limited service life and are therefore updated regularly.

For security reasons, and to simplify routing, each side of the connection verifies that only the packets coming through the connection are those that were previously configured. It is therefore important that identical values for the start and destination network of a tunnel are given on both sides.

In order to be able to configure security policies very narrowly, it is possible to establish any number of different IPSec connections between two clients.