Table of Contents
Advertisement
UTT Technologies
Main Mode has three two-way exchanges with a total of six messages between the
initiator and the responder.
First exchange (message 1 and 2): The encryption and authentication algorithms
used to secure the IKE communications are negotiated and agreed upon
between the two endpoints.
Second exchange (message 3 and 4): A Diffie-Hellman exchange is performed.
Each endpoint exchanges a nonce (i.e., random number).
Third exchange (message 5 and 6): Identities of both endpoints are exchanged
and verified.
In the third exchange, identities are not transmitted in clear text. The identities are
protected by the encryption algorithm agreed upon in the first two exchanges.
Aggressive Mode
Aggressive Mode has two exchanges with a total of three messages between the
initiator and the responder.
First message: The initiator proposes the SA, initiates a Diffie-Hellman exchange,
and sends a nonce (i.e., random number) and its IKE identity.
Second message: The responder accepts the proposed SA, authenticates the
initiator, and sends a nonce (i.e., random number), its IKE identity, and its
certificates if it is being used.
Third message: The initiator authenticates the responder, confirms the exchange,
and sends its certificates if it is being used.
The weakness of using aggressive mode is that it does not provide identity protection
because the identities of both sides are exchanged in clear text. However, Aggressive
Mode is faster than Main Mode.
Note: If one of the two IPSec endpoints has a dynamic IP address, you must use
Aggressive Mode to establish an IPSec tunnel.
Diffie-Hellman Exchange
The Diffie-Hellman exchange is a public key cryptography protocol used for key
exchange. With Diffie-Hellman exchange, the two IPSec endpoints publicly exchange
key material over an insecure network channel to derive a shared secret key, which is
never exchanged over the insecure channel.
There are five basic DH groups (The Device supports DH groups 2 and 5). Each DH
group has a different size modulus. A larger modulus provides higher security but
requires more processing time to generate the key. The modulus of DH groups 2 and
5 are as follows:
DH Group 2: 924-bit modulus
http://www.uttglobal.com
VPN Menu
Page 172
- Quick Links:
- User Manual
- Panel Description
Hide quick links:
Advertisement
Table of Contents
