IKE operates in three modes for exchanging keying information and establishing security associations – Main, Aggressive and
Quick mode.
•
Main mode:
is used to establish phase 1 during the key exchange. It uses three two-way exchanges between the initiator
and the receiver. In the first exchange, algorithms and hashes are exchanged. In the second exchange, shared keys are
generated using the Diffie-Hellman exchange. In the last exchange, verification of each other’s identities takes place.
•
Aggressive mode
: provides the same service as the main mode, but it uses two exchanges instead of three. It does not
provide identity protection, which makes it vulnerable to hackers. The main mode is more secure than this.
•
Quick mode
: After establishing a secure channel using either the main mode or aggressive mode, the quick mode can be
used to negotiate general IPsec security services and generate newly keyed material. They are always encrypted under the
secure channel and use the hash payload that is used to authenticate the rest of the packet.
Configuring IPSec Tunnel
To build an IPSec secure tunnel between two devices located in different places on the Internet, we can use the sample
scenario below:
The branch office router needs to connect to the Headquarters office via an IPSec tunnel, on each side we have a GWN70xx
router. Users can configure the two devices as follows:
Figure 60: IPSec Tunnel
The branch office router runs a LAN subnet 192.168.1.0/24 and the HQ router runs a LAN subnet 192.168.3.0, the public IP of
the branch office router is 1.1.1.1 and the IP of the HQ router is 2.2.2.2.
○
Configuration of the Branch office router:
Go under
VPN → VPN Clients
then click on
to add a VPN Client.
○ IPSec VPN
Figure 61: Add VPN Client – IPSec
○ Phase 1