IPSec Key Exchange (IKE)


IKE Operation

Phase-1 is used to generate IKe/ISAKMP-SA

Phase-2 is used to generate IPSEC-SA

 

IKE Phase 1 (Main Mode)

• Main mode negotiates an IKE/ISAKMP-SA which will be used to create IPsec-SAs in Phase-2

• Three steps

– SA negotiation (encryption algorithm, hash algorithm, authentication method, which DF group to use)

– Do a Diffie-Hellman exchange

– Provide authentication information

– Authenticate the peer

IKE Phase 1 (Aggressive Mode)

• Uses 3 (vs 6) messages to establish IKE SA

• No denial of service protection

• Does not have identity protection

• Optional exchange and not widely implemented

IKE Phase 2 (Quick Mode)

After the tunnel is secured and authenticated, in Phase 2 the channel is further secured for the transfer of data between the networks. IKE Phase 2 uses the keys that were established in Phase 1 of the process and the IPSec Crypto profile, which defines the IPSec protocols and keys used for the SA in IKE Phase 2.

The IPSEC uses the following protocols to enable secure communication:
Encapsulating Security Payload (ESP)—Allows you to encrypt the entire IP packet, and authenticate the source and verify integrity of the data. While ESP requires that you encrypt and authenticate the packet, you can choose to only encrypt or only authenticate by setting the encryption option to Null; using encryption without authentication is discouraged.
Authentication Header (AH)—Authenticates the source of the packet and verifies data integrity. AH does not encrypt the data payload and is unsuited for deployments where data privacy is important. AH is commonly used when the main concern is to verify the legitimacy of the peer, and data privacy is not required.
Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s