IKE negotiation process
IKE negotiates keys and SAs for IPsec in two phases:
Phase 1—The two peers establish an IKE SA, a secure, authenticated channel for communication.
Phase 2—Using the IKE SA established in phase 1, the two peers negotiate to establish IPsec SAs.
Phase 1 negotiation can use either main mode or aggressive mode.
IKE exchange process in main mode
As shown in Figure 122, the main mode of IKE negotiation in phase 1 involves three pairs of messages:
SA exchange—Used for negotiating the IKE security policy.
Key exchange—Used for exchanging the DH public value and other values, such as the random number. The two peers use the exchanged data to generate key data and use the encryption key and authentication key to ensure the security of IP packets.
ID and authentication data exchange—Used for identity authentication.
Figure 122: IKE exchange process in main mode
IKE exchange process in aggressive mode
As shown in Figure 123, the process of phase 1 IKE negotiation in aggressive mode is as follows:
The initiator (peer 1) sends a message containing the local IKE information to peer 2. The message includes parameters used for IKE SA establishment, keying data, and peer 1's identity information.
Peer 2 chooses the IKE establishment parameters to use, generate the key, and authenticate peer 1's identity. Then it sends the IKE data to peer 1.
Peer 1 generates the key, authenticates peer 2's identity, and sends the results to peer 1.
After the preceding process, an IKE SA is established between peer 1 and peer 2.
The aggressive mode is faster than the main mode but it does not provide identity information protection. The main mode provides identity information protection but is slower. Choose the appropriate negotiation mode according to your requirements.
Figure 123: IKE exchange process in aggressive mode