3Com 3C13636 Configuration Manual page 1155

3Com Router 3000 Ethernet Family
Configuration Guide
authentication keys to generate the same shared secret between the two parties.
Authentication key is the key in identity authentication for both parties.
Identity protection
After shared secret is generated, identity data will be encrypted and transmitted, thus
implementing identity data protection.
IKE using 2 stages to implement shared secret negotiation for IPSec and creating
Security Association. In the first stage, parties involved in the communication will
establish a channel for identity authentication and security protection. An ISAKMP
Security Association (ISAKMP SA) is established by the exchange in this stage. In the
second stage, security channel established in phase 1 will be used to negotiate specific
Security Association for IPSec and establish IPSec SA. IPSec SA will be used for final
IP data security transmission.
The relation between IKE and IPSec is shown in the following figure.
Router A
TCP/UDP
IPSec
Figure 8-1 Relation between IKE and IPSec
In addition to other applications, IKE supports IKE aggressive mode and NAT traversal.
I. IKE aggressive mode
ADSL and dial-up mode are two solutions widely adopted at present in VPN
construction. In these two solutions, there is an exceptional case where IP addresses of
the devices at central office end are static and the IP addresses of the devices at
subscriber end are dynamic. In order to support the application in this special case,
aggressive mode is introduced in IKE negotiation. This mode allows IKE to search for
the pre-shared key of the negotiation initiator by the IP address or ID of the negotiation
initiator to accomplish the negotiation. Compared to the main mode, IKE aggressive
mode allows of more flexibility and supports IKE negotiation even when the IP address
of the initiator is dynamic.
SA negotiation
IKE
SA
IP
Encrypted IP packet
3Com Corporation
8-2
Chapter 8 IKE Configuration
IKE
Router B
TCP/UDP
SA
IPSec