Negotiating The Sa - The Internet Key Exchange (Ike; Authentication: Phase 1 - NETGEAR FVM318 Reference Manual

Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall
• Exchange keys
• Keep track of the agreements

Negotiating the SA - the Internet Key Exchange (IKE)

IKE provides a way to:
• Ensure that the key exchange and the IPSec communication occurs only between
authenticated parties;
• Negotiate the protocols, algorithms and keys to be used between the two IPSec hosts
• Securely update and renegotiate SAs when they have expired
IKE functions in two phases:
Phase 1. The peers establish a secure channel. After Phase 1, all IKE packets are encrypted.
1.
Phase 2. The peers negotiate a general purpose SA.
2.
IKE provides three modes of key exchange and setting up of SAs. Two of the modes are used in
the first phase and one in the second.

Authentication: Phase 1

Main mode or Aggressive mode can be chosen in the first phase.
• Main mode. This mode accomplishes the first phase by establishing a secure channel before
sending a user identity.
Main mode secures an IKE SA in three two-way exchanges between the initiator and the
responder.
Both agree on basic algorithms and hashes.
a.
Both exchange Diffie-Hellman public keys and pass nonces. Nonce is a cryptographic
b.
term for a fresh random number that is used only once.
Both parties verify each other's identity. This exchange is already encrypted.
c.
• Aggressive mode. Unlike Main mode, it does not protect identities because it establishes the
secure channel after the information has been exchanged.
Aggressive mode establishes a connection with two exchanges. Only one of these is a
round-trip exchange.
The initiator generates a Diffie-Hellman public value, sending it with the nonce.
a.
B-22
.
Network, Routing, Firewall, and Wireless Basics