R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101
15
Figure 12 IKE exchange process in main mode
As shown in Figure 12, the main mode of IKE negotiation in phase 1 involves three pairs of messages:
• SA exchange, used for negotiating the security policy.
• Key exchange, used for exchanging the Diffie-Hellman public value and other values like the
random number. Key data is generated in this stage.
• ID and authentication data exchange, used for identity authentication and the whole SA exchange.
The main difference between main mode and aggressive mode is that aggressive mode does not provide
identity protection and only exchanges the three messages. Aggressive mode exchanges less information
and features higher negotiation speed; it applies to scenarios where the requirement for identity
protection is lower. For scenarios with higher requirement for identity protection, use the main mode.
Functions of IKE in IPsec
IKE provides the following functions for IPsec:
• Automatically negotiates IPsec parameters such as the keys, reducing the manual configuration
complexity.
• Performs DH exchange whenever establishing an SA, ensuring that each SA has a key independent
of any other keys.
• Automatically negotiates SAs when the sequence number in the AH or ESP header overflows,
ensuring that IPsec provides the anti-replay service normally by using the sequence number.
• Provides end-to-end dynamic authentication.
• Identity authentication and management of peers influence IPsec deployment. A large-scale IPsec
deployment needs the support of certificate authorities (CAs) or other institutes which manage
identity data centrally.