LevelOne GBR-4001 User Manual page 141

communication, namely establish a security association SA. SA consists of a pair of specified
security parameter indexes (SPI), the destination IP address and the used security protocol.
Through SA, the IPSec tunnel provides the following security features:
Confidentiality (through encryption)

Content integrity (through data authentication)

Sender authentication and accreditation (through authentication)

I. Establishment of Security Alliance
Security Association (SA) is a one-way protocol of related methods and parameters used by both
parties of the IPSec tunnel to ensure tunnel security. For IPSec two-way communication, there
must be at least two SAs, one is used to receive data from the peer end, and the other one is used
to send data to the other party.
The establishment of SA requires two phases of negotiations:
In the first phase, both communicating parties negotiate on how to protect the future

communications and to establish an authentication and security protection channel (namely, IKE
SA), this channel will be used to protect the negotiation process of IPSec SA later.
In the second phase, both parties negotiate about encryption algorithms, keys, life cycle, as

well as authentication of IPSec, and establish a channel for encryption and authentication of user
data (IPSec SA).
1. Phase I
In the first phase, Aggressive Mode or Main Mode can be used, and both parties will exchange the
security proposals acceptable to each other, for example:
Encryption algorithm (DES, 3DES and AES128/192/256) and authentication algorithm

(MD5 and SHA-1)
 Diffie-Hellman group (please refer to "Diffie-Hellman Exchange" in this section)
Pre-shared key

When both ends of the tunnel agreed to accept at least a group of security parameters for the first
phase, and process the related parameters, a successful first-phase negotiation will end. When
the device is used as the initiator, currently up to 8 kinds of proposes for the first-stage negotiation
are supported to allow user to define a series of security parameters. While acting as a responder,
the device can accept proposals for the first phase negotiation in any combination forms.
 Main Mode / Aggressive Mode
First stage can take place under the main mode or aggressive mode, and these two modes are
described as follows:
Main mode: Initiator and responder make three bi-directional information exchange (a total of six
messages) between them, in order to complete the following functions:
http://www.level1.com
Chapter 12 VPN
Page 136