282
Figure 85
IKE exchange process in main mode
As shown in
, the main mode of IKE negotiation in phase 1 involves three pairs of messages:
•
SA exchange
—Used for negotiating the IKE security policy.
•
Key exchange
—Used for exchanging the DH public value and other values, such as the random
number. The two peers use the exchanged data to generate key data and use the encryption key
and authentication key to ensure the security of IP packets.
•
ID and authentication data exchange
—Used for identity authentication.
The main difference between the main mode and the aggressive mode is that the aggressive mode does
not provide identity information protection and exchanges only three messages, rather than three pairs.
The main mode provides identity information protection but is slower.
IKE security mechanism
IKE has a series of self-protection mechanisms and supports secure identity authentication, key
distribution, and IPsec SA establishment on insecure networks.
Identity authentication
The IKE identity authentication mechanism is used to authenticate the identity of the communicating
peers. The device supports the following identity authentication methods:
•
Pre-shared key authentication
—Two communicating peers use the pre-configured shared key for
identity authentication.
•
RSA signature authentication
and
DSA signature authentication
—Two communicating peers use
the digital certificates issued by the CA for identity authentication.
The pre-shared key authentication method does not require certificates and is easy to configure. It is
usually deployed in small networks.
The signature authentication methods provide higher security and are usually deployed in networks with
the headquarters and some branches. When deployed in a network with many branches, a signature
authentication method can simplify the configuration because only one PKI domain is required. If you use