Figure 67 IKE exchange process in main mode
SA exchange
Key exchange
ID and authentication
data exchange
As shown in
SA exchange—Used for negotiating the security policy.
•
Key exchange—Used for exchanging the DH public value and other values like the random number.
•
Key data is generated in this stage.
ID and authentication data exchange—Used for identity authentication and authentication of data
•
exchanged in phase 1.
IKE functions
IKE provides the following functions for IPsec:
Automatically negotiates IPsec parameters such as the keys.
•
•
Performs DH exchange when establishing an SA, making sure that each SA has a key independent
of other keys.
Automatically negotiates SAs when the sequence number in the AH or ESP header overflows,
•
making sure that IPsec provides the anti-replay service normally by using the sequence number.
Provides end-to-end dynamic authentication.
•
Identity authentication and management of peers influence IPsec deployment. A large-scale IPsec
•
deployment needs the support of CAs or other institutes which manage identity data centrally.
Peer 1
Send local
IKE policy
Receive the
policy
Generate the key
Perform ID/exchange
authentication
Figure
67, the main mode of IKE negotiation in phase 1 involves three pairs of messages:
Initiator's policy
matched policy
Confirmed policy
Initiator's key information
Generate the key
Receiver's key
information
Initiator's identity and
authentication data
Perform ID/exchange
Receiver's identity and
authentication data
197
Peer 2
Algorithm
negotiation
Search for
Key generation
Identity
authentication
authentication