Ike operation, Functions of ike in ipsec – H3C Technologies H3C SecPath F1000-E User Manual

122

IKE operation

IKE negotiates keys and establishes SAs for IPsec in two phases:

1.

Phase 1—The two peers establish an ISAKMP SA, a secure, authenticated channel for
communication. In this phase, two modes are available: main mode and aggressive mode.

2.

Phase 2—Using the ISAKMP SA established in phase 1, the two peers negotiate to establish IPsec
SAs.

Figure 80 IKE exchange process in main mode

As shown in

Figure 80

, the main mode of IKE negotiation in phase 1 involves three pairs of messages:

•

SA exchange, used for negotiating the security policy.

•

Key exchange, used for exchanging the Diffie-Hellman public value and other values like the
random number. Key data is generated in this stage.

•

ID and authentication data exchange, used for authentication of identity and exchanged data in
phase 1.

The main difference between main mode and aggressive mode is that aggressive mode does not provide
identity protection and only exchanges the above three messages. Aggressive mode exchanges less

information and features higher negotiation speed; it applies to scenarios where the requirement for

identity protection is lower. For scenarios with higher requirement for identity protection, use the main

mode.

Functions of IKE in IPsec

IKE provides the following functions for IPsec:

•

Automatically negotiates IPsec parameters such as the keys, reducing the manual configuration
complexity.

•

Performs DH exchange whenever establishing an SA, making sure that each SA has a key
independent of any other keys.

•

Automatically negotiates SAs when the sequence number in the AH or ESP header overflows,
making sure that IPsec provides the anti-replay service normally by using the sequence number.