201
Figure 64 IKE exchange process in main mode
As shown in Figure 64, the main mode of IKE negotiation in phase 1 involves three pairs of
messages:
• SA exchange—Used for negotiating the security policy.
• Key exchange—Used for exchanging the DH public value and other values like the random
number. Key data is generated in this stage.
• ID and authentication data exchange—Used for identity authentication and authentication of
data exchanged in phase 1.
The main difference between the main mode and the aggressive mode is that the aggressive mode
does not provide identity protection and exchanges only three messages, rather than three pairs.
The main mode provides identity protection but is slower.
IKE functions
IKE provides the following functions for IPsec:
• Automatically negotiates IPsec parameters such as the keys.
• Performs DH exchange when establishing an SA, making sure that each SA has a key
independent of other keys.
• Automatically negotiates SAs when the sequence number in the AH or ESP header overflows,
making sure IPsec provides the anti-replay service correctly by using the sequence number.
• Provides end-to-end dynamic authentication.
• Identity authentication and management of peers influence IPsec deployment. A large-scale
IPsec deployment needs the support of CAs or other institutes which manage identity data
centrally.
To Next Page
Loading...
Need help?
General
