289
IKE operation
IKE negotiates keys and establishes SAs for IPsec in two phases:
1. Phase 1—The two peers establish an ISAKMP SA, a secure, authenticated channel for
communication.
2. Phase 2—Using the ISAKMP SA established in phase 1, the two peers negotiate to establish IPsec
SAs.
Figure 87 IKE exchange process in main mode
As shown in Figure 87, the main mode of IKE negotiation in phase 1 involves three pairs of messages:
• SA exchange, used for negotiating the security policy.
• Key exchange, used for exchanging the Diffie-Hellman public value and other values like the
random number. Key data is generated in this stage.
• ID and authentication data exchange, used for identity authentication and authentication of data
exchanged in phase 1.
IKE functions
IKE provides the following functions for IPsec:
• Automatically negotiates IPsec parameters such as the keys.
• Performs DH exchange when establishing an SA, making sure that each SA has a key independent
of other keys.
• Automatically negotiates SAs when the sequence number in the AH or ESP header overflows,
making sure that IPsec provides the anti-replay service normally by using the sequence number.
• Provides end-to-end dynamic authentication.
• Identity authentication and management of peers influence IPsec deployment. A large-scale IPsec
deployment needs the support of certificate authorities (CAs) or other institutes which manage
identity data centrally.
To Next Page
Loading...
Need help?
General
