6-2 Firmware User GuideThe advantage of using IKE is that it automatically negotiates IPsec Security Associations and enables IPsecsecure communications without having to manually enter the lengthy encryption keys at both ends of theconnection. You enter a human-readable pass phrase or shared secret English sentence, like “my dog hasfleas” on each end once. This pass phrase is used to authenticate each end to the other. Thereafter, the twoends periodically use a public key encryption method called Diffie-Hellman to exchange key material and thensecurely generate new authentication and encryption keys. The keys are automatically and continually changing,making the data exchanged using the keys inherently secure.It also allows you to specify a lifetime for the IPsec Security Association and allows encryption keys to changeperiodically during IPsec sessions. You can set this period for key generation to as often as your securityrequirements dictate.A Security Policy Database (SPD) now defines the security requirements. This is a significant change fromearlier firmware implementations of IPsec. Traffic with a source IP address that falls within the local memberspecification of an IPsec tunnel and that is addressed to a destination IP address that falls within the remotemember specification of that tunnel is not routed using the normal routing table. Instead it is forwarded usingthe security policy database to the remote security gateway (remote tunnel endpoint) specified in the IPsectunnel configuration. It is not possible to send traffic outside the tunnel by bypassing the tunnel and the remotesecurity gateway.Note: To fully protect against IP address “spoofing” of local member addresses requires firewall rules to beinstalled on the WAN interface. These must prevent packets coming in through that interface with local membersource addresses, since local member source addresses should only originate from the LAN. Otherwise it istheoretically possible for a malicious hacker to send packets through the tunnel by impersonating local memberIP addresses. See the chapter “Security” on page 10-1 for more information.Traffic originating from local member LAN addresses that is not addressed to remote member addresses, aswell as traffic originating from local LAN IP addresses that do not match any local member specifications, isrouted using the normal routing table. This means that if you want to restrict traffic from local members fromgoing out to the Internet and force it all to go through one or more tunnels you need to specify remote membersof 0.0.0.0 - 255.255.255.255 or 0.0.0.0/0. Traffic originating from the gateway, for example, Telnet, ping, DNSqueries, will not use the default VPN definition even if the source addresses match. Traffic to and from thegateway is included in specific VPNs.Internet Key Exchange (IKE) ConfigurationIPsec tunnels are defined in the same manner as PPTP tunnels. (See “Virtual Private Networks (VPNs)” onpage 5-1 for more information.) You configure the Connection Profile as follows.From the Main Menu navigate to WAN Configuration and then Add Connection Profile.MainMenuWANConfigurationAdd ConnectionProfile