IPSec VPN Tunnel
The data keys and algorithms used within the IPSec tunnel are negotiated using the standard IKE algorithm as described in RFC 2409. The VPN Gateway supports both Aggressive mode and Main mode negotiations. The method of negotiation is dependent on the target tunnel server, type and authentication method.
Main Mode
The VPN Gateway uses Main mode negotiations when connecting to the AT&T developed AT&T SIG and AT&T VIG. When negotiating with the AT&T SIG and AT&T VIG, the VPN Gateway uses AT&T service certificates to provide the public/private key pair during the negotiation. Following the IPSec tunnel encryption/authentication algorithm and key negotiations, a proprietary authentication flow takes place inside the IPSec tunnel prior to allowing any data packets to flow through the tunnel.
The AT&T service certificates used by the VPN Gateway to protect the main mode negotiations are common to all VPN Gateway models. They are not specific to any particular VPN Gateway, and therefore they cannot be used for authentication purposes. However, they do provide an extremely secure means to establish the IPSec data tunnel key exchange.
Aggressive Mode
When negotiating with Cisco servers, the VPN Gateway will use Aggressive mode negotiations paired with a shared secret. The Aggressive mode negotiations are used to support a dynamic IP address which is supplied by most ISPs. Aggressive mode is appealing since, without using certificates, main mode negotiations would require a static IP address both on the VPN Gateway and at the tunnel server to which the VPN Gateway is connecting. To reduce the recurring cost (most static addresses are more expensive), reduce the enablement time and cost of both the VPN Gateway and tunnel server, and expand the number of usable ISP connections, the VPN Gateway is enabled to use Aggressive mode negotiations when connecting to a Cisco server.
In all cases with Cisco, and when using AT&T SIG in Branch Office or Customer Direct modes, an additional authentication flow takes place during the IKE negotiations. This additional authentication may include RADIUS or Response Only Token managed by the AT&T Administration Server.
Encryption
The IPSec tunnel encryption algorithms supported by the VPN Gateway are DES, 3DES, and 128-, 192- and 256-bit AES, which are used to encrypt the encapsulated IP packets sent inside the IPSec tunnel. The VPN Gateway proposes algorithms from the most secure downwards based on what is profiled in AT&T Administration Server, and the tunnel server will choose which algorithm to use. This provides the ability to reduce the encryption strength when needed to meet specific countries’ encryption laws.
The IPSec tunnel authentication algorithms supported by the VPN Gateway are HMAC-MD5-96 and HMAC-SHA-1-96. The authentication algorithms are used to create a signature based on each IPSec data packet and include that signature within the packet to verify that the packet originated from the VPN Gateway and that the data was not altered in transit.