diffie hellman VPN compared to SSL website

pfrancis3 · ‎09-04-2015

Hello I understand regarding how Diffie Hellman is used in phase 1 to share keys.

My question is, is this an alternative way to create a VPN tunnel ? i.e could it not just work like a common connection to an SSL website where one end of the VPN has a cert. This cert provides the public key to the other peer etc.

Am I just trying to understand why we need Diffie Hellman to exchange keys when setting up a VPN, rather than using the standard 'SSL-style' certificate procedure I outlined above ?

Thank you for any help.

Karsten Iwen · ‎09-05-2015

You are mixing up two functions of the VPN:

Authentication
Key-Negotiation

The certificate is used for the authentication of the connection. For IPsec-VPNs the other typically used way is to use Pre-Shared-Keys.

Diffie-Hellmann ist used to negotiate keys for the connection. That is done for IPsec-VPNs and also for SSL/TLS-connections when Forward Secrecy is configured (which is a best practice nowadays). The traditional way for SSL/TLS is that the client generates a secret, encrypts it with the public key of the server (the pub-key is taken from the certificate) and sends this back to the server.

Bigoncisco · ‎09-10-2015

Hi,

Here is a link to an excellent article about the Server has a weak ephemeral Diffie-Hellman public key ... ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY error.