Figure 119 IKE exchange process in main mode
As shown in
SA exchange, used for negotiating the security policy.
•
Key exchange, used for exchanging the Diffie-Hellman public value and other values like the
•
random number. Key data is generated in this stage.
ID and authentication data exchange, used for identity authentication and authentication of data
•
exchanged in phase 1.
IKE functions
IKE provides the following functions for IPsec:
Automatically negotiates IPsec parameters such as the keys.
•
Performs DH exchange when establishing an SA, making sure that each SA has a key independent
•
of other keys.
Automatically negotiates SAs when the sequence number in the AH or ESP header overflows,
•
making sure that IPsec provides the anti-replay service normally by using the sequence number.
•
Provides end-to-end dynamic authentication.
Identity authentication and management of peers influence IPsec deployment. A large-scale IPsec
•
deployment needs the support of certificate authorities (CAs) or other institutes which manage
identity data centrally.
Figure
124, the main mode of IKE negotiation in phase 1 involves three pairs of messages:
356