}
like security protocol (ESP or AH), encryption and/or authentication algorithms,
session keys, SA lifetime, and so on. Because an IPSec SA is simplex (unidirectional)
in nature, a bidirectional communication requires at least two SAs, one in each
direction.
The basic operation of IKE can be broken down into two phases:
IKE Phase 1 is used to authenticate the two endpoints and negotiate the
parameters and key material required to establish a secure channel (i.e., IKE SA).
The IKE SA is then used to protect further IKE exchanges.
IKE Phase 2 is used to negotiate the parameters and key material required to
establish IPSec SAs. The IPSec SAs are then used to authenticate and encrypt
the user data.
1) IKE Phase 1
During IKE phase 1, one or more security proposals are exchanged and agreed upon
between the two endpoints. The two endpoints exchange proposals for acceptable
security services such as:
Encryption algorithm (DES, 3DES, or AES 98/99/256)
Authentication algorithm (MD5 or SHA-1)
Diffie-Hellman group (Refer to Diffie-Hellman Exchange described later in this
section for more information.)
Preshared key
When both IPSec endpoints agree to accept at least one set of the proposed phase 1
security parameters and then process them, a successful phase 1 negotiation concludes.
When acting as an initiator, the Device supports up to 8 phase 1 proposals, which allow
you to specify a series of security parameters; when acting as a responder, it can accept
any phase 1 proposal.
Main Mode and Aggressive Mode
IKE supports two modes of its phase 1 negotiations: main mode and aggressive mode,
the following describes them respectively.
Main Mode
Main mode has three two-way exchanges with a total of six messages between the
initiator and the responder.
First exchange (message 1 and 2): The encryption and authentication algorithms
used to secure the IKE communications are negotiated and agreed upon
between the two endpoints.
