Billion Electric Company BiGuard 50G User Manual

177

addresses. Aggressive mode reduces this process to three messages, but parameter
negotiation is limited, identity protection is lacking except when using public key
encryption, and is more vulnerable to Denial of Service attacks.

Phase II, known as Quick Mode, establishes symmetrical IPSec Security
Associations for both AH and ESP. It does this by negotiating IPSec parameters,
exchange nonces to derive session keys from the IKE shared secret, exchange DH
values to generate a new key, and identify which traffic this SA bundle will protect
using selectors (IDi and IDr payloads).

The following is an illustration on how data is handled with IKE:

Start

Main Mode

Aggressive Mode

Quick Mode

With PFS

Quick Mode

Without PFS

Phase 1
Negotiate
ISAKMP SA
Mutual Authentication

Phase 2
Negotiate SAs
For AH and ESP

Protected Data Transfer

New IPSec tunnel or Rekeying

or

or