Ike Security Mechanism - HP MSR2000 Configuration Manual

2. Phase 2—Using the IKE SA established in phase 1, the two peers negotiate to establish IPsec SAs.
Figure 50 IKE exchange process in main mode
As shown in
SA exchange—Used for negotiating the IKE security policy.
•
• Key exchange—Used for exchanging the DH public value and other values, such as the random
number. The two peers use the exchanged data to generate key data and use the encryption key
and authentication key to ensure the security of IP packets.
ID and authentication data exchange—Used for identity authentication.
•
The main difference between the main mode and the aggressive mode is that the aggressive mode does
not provide identity information protection and exchanges only three messages, rather than three pairs.
The main mode provides identity information protection but is slower.

IKE security mechanism

IKE has a series of self-protection mechanisms and supports secure identity authentication, key
distribution, and IPsec SA establishment on insecure networks.
Identity authentication
The IKE identity authentication mechanism is used to authenticate the identity of the communicating
peers. The device supports the following identity authentication methods:
Pre-shared key authentication—Two communicating peers use the pre-configured shared key for
•
identity authentication.
RSA signature authentication and DSA signature authentication—Two communicating peers use
•
the digital certificates issued by the CA for identity authentication.
The pre-shared key authentication method does not require certificates and is easy to configure. It is
usually deployed in small networks.
The signature authentication methods provide higher security and are usually deployed in networks with
the headquarters and some branches. When deployed in a network with many branches, a signature
Figure 50, the main mode of IKE negotiation in phase 1 involves three pairs of messages:
180