R3303-HP HSR6800 Routers Layer 3 - IP Services Configuration Guide
292
next-highest priority algorithm against the list. The operation continues until a match is found or all
the algorithms on the server's algorithm list have been compared.
If a match is found, the server sends to the client a connection response, which carries the
negotiation result, and at the same time, the server and the client generate the encryption key and
integrity verification key.
3. The client sends an initialization complete packet to the server, so the server can use it to check
whether the algorithm negotiation and key negotiation are successful.
4. Upon receiving the initialization complete packet from the client, the server sends an initialization
complete packet to the client, so the client can use it to check whether the algorithm negotiation
and key negotiation are successful.
After the connection initialization process completes, the client proceeds with the registration phase.
Registration phase
Figure 127 Registration process
Figure 127 shows the registration process:
1. The client sends the server a registration request, which carries information about the client.
2. Upon receiving the registration request, the server first determines whether to authenticate the
identity of the client.
{ If identity authentication is not required, the server directly registers the client and sends the
client a registration acknowledgement.
{ If identity authentication is required, the server sends the client an identity authentication request,
indicating the required authentication algorithm. In the case of CHAP authentication, a random
number is also sent.
3. The client submits its identity information to the server.
4. After receiving the identity information of the client, the server sends an authentication request to
the AAA server and, after receiving the expected authentication acknowledgement, sends an
accounting request to the AAA server. When the server receives the accounting acknowledgement,
it sends the client a registration acknowledgement, telling the client information about the hubs in
the VPN.
Tunnel establishment phase
After a spoke successfully registers itself, it needs to establish a permanent tunnel with a hub. A spoke can
establish permanent tunnels with up to two hubs. If there are two hubs in a VPN domain, a permanent
tunnel is required between the hubs. Figure 128
shows the tunnel establishment process.
Client Server
1) Registration request
2) Identity authentication request
3) Identity information
4) Registration acknowledgement