Manualshelf

TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
531532533534535536537538539540
7-17
Virtual Private Networks
IPsec Concepts
Note If you use certificates for IKE authentication, you must specify either the DN
as the identity type, or you must specify the type and value of a subject
alternate name in the certificate.
IKE modes. IKE phase 1 can be initiated in one of two modes:
Main mode
Aggressive mode
Main mode consists of the six messages (three exchanges) described above.
Figure 7-6. IKE Aggressive Key Exchange Mode
Aggressive mode condenses the process into three total messages—two from
the initiator and one from the respondent. Aggressive mode is quicker than
main. However, it requires endpoints to send identifying information before
exchanges are encrypted, so it is less secure.
IKE Phase 2
The goal of IKE phase 2 is to negotiate the IPsec SA. For this reason, even
though IKE carries out both phases, phase 1 is associated with IKE policies
and phase 2 with IPsec policies. Keys generated during IKE phase 2 will secure
all data exchanged over the lifetime of the IPsec SA.