Ike Functions - HP 6600 Security Configuration Manual

Figure 102 IKE exchange process in main mode
SA exchange
Key exchange
ID and authentication
data exchange
As shown in
• SA exchange—Used for negotiating the security policy.
Key exchange—Used for exchanging the DH public value and other values like the random number.
•
Key data is generated in this stage.
ID and authentication data exchange—Used for identity authentication and authentication of data
•
exchanged in phase 1.
The main difference between the main mode and the aggressive mode is that the aggressive mode does
not provide identity protection and exchanges only three messages, rather than three pairs. The main
mode provides identity protection but is slower.

IKE functions

IKE provides the following functions for IPsec:
• Automatically negotiates IPsec parameters such as the keys.
Performs DH exchange when establishing an SA, making sure that each SA has a key independent
•
of other keys.
Automatically negotiates SAs when the sequence number in the AH or ESP header overflows,
•
making sure that IPsec provides the anti-replay service normally by using the sequence number.
Provides end-to-end dynamic authentication.
•
Identity authentication and management of peers influence IPsec deployment. A large-scale IPsec
•
deployment needs the support of CAs or other institutes which manage identity data centrally.
Peer 1
Send local
IKE policy
Receive the
policy
Generate the key
Perform ID/exchange
authentication
Figure 102, the main mode of IKE negotiation in phase 1 involves three pairs of messages:
Initiator's policy
matched policy
Confirmed policy
Initiator's key information
Generate the key
Receiver's key
information
Initiator's identity and
authentication data
Perform ID/exchange
Receiver's identity and
authentication data
295
Peer 2
Algorithm
negotiation
Search for
Key generation
Identity
authentication
authentication