Internet Key Exchange (IKE)Firebox Vclass User Guide 303tion. Phase 2 involves an exchange of keys to determinehow the data between the two will be encrypted.Diffie-Hellman is an algorithm used in IKE to negotiatekeys required for data encryption. Diffie-Hellman groupsare collections of parameters used to achieve the negotia-tion. These groups allow two peer systems that have noprior knowledge of one another to publicly exchange andagree on a shared secret key. Group 1 is a 768-bit primemodulus group, and group 2 is a 1024-bit prime modulusgroup. The difference is in the number of bits used forexponentiation to generate private and public keys. Group2 is more secure than group 1, but requires more time tocompute the keys.NAT Traversal (UDP Encapsulation)A problem occurs with IPSec-encrypted packets crossingNAT devices. The IPsec authentication header (AH) pro-tects entire IP packets, including IP headers, from modifi-cation. NAT modifies the IP header, causing an inherentincompatibility. The IPsec Encapsulating Security Payload(ESP) encrypts IP packets. NAT cannot modify TCP andUDP ports when these values are encrypted. NAT is there-fore incompatible with ESP.The solution for this problem is UDP encapsulation, or NATtraversal. UDP encapsulation wraps an IPsec packet inside aUDP/IP header. This allows NAT to function, withoutmodifying the encapsulated IPsec packet.Figure 12: UDP EncapsulationEncapsulation requires “decapsulation.” ESP-wrappedpackets are exchanged between IKE peers: gateway-to-OriginalIP HeaderUDPHeaderZeroPadESPHeader TCP/UDP Original Payload ESP Trail ESP AuthEncryptedAuthenticated