When two systems attempt secure communication, they negotiate parameters for the communication. In addition to using their default behavior, described in the previous section, they also exchange a string of characters known as a pre-shared key.
When the systems begin to negotiate parameters, they compare their pre-shared keys. If both systems have the same pre-shared key, then the systems will go ahead and negotiate parameters for the session. If the systems have a different pre-shared key, then the negotiation for secure communication will cease.
Once the pre-shared keys have been compared and matched between the two systems, the IKE protocol generates secure, secret session keys. No one can find out what these session keys are, even if they know what the pre-shared key is. Although pre-shared keys are sometimes called passwords, they do not act like passwords. Even when you know what the pre-shared key is, you cannot use that key to intercept or decrypt the information that is being transmitted.
It is important when you are developing your deployment model that you decide how to handle the distribution of the pre-shared key. Some networks use a widely-published key, known as a "group key" or the "pre-shared key on the wall." In this strategy, you make the pre-shared available to everyone. This way, all systems will be configured to use the same key. This ensures that when secure communications are requested, IKE will be able to negotiate secure communications when the keys are matched between two systems.
Copyright © 2000, Intel Corporation. All rights reserved.
Intel Corporation assumes no responsibility for errors or omissions in this document. Nor does Intel make any commitment to update the information contained herein.
* Other product and corporate names may be trademarks of other companies and are used only for explanation and to the owners' benefit, without intent to infringe.