HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 397

who receives the certificate first extracts the public key and uses it to decrypt
the digital signature. It then decondenses the signature and compares it to the
certificate. A signature that matches the certificate testifies to the certificate's
integrity.
The remote host next checks the CA's digital signature by decrypting it with
the public key in the CA certificate (which the host must have loaded in its
system). The CA's signature attests that the first host is who it claims to be. A
certificate revocation list (CRL) issued by the CA tracks which hosts are
trusted to join the VPN.
IKE modes. IKE phase 1 can be initiated in one of two modes:
main mode
aggressive mode
Main mode consists of the exchange of six messages (three exchanges) as
described above.
Aggressive mode condenses the process into three messages. First, the initi-
ating host sends all necessary information: its IKE SA policy proposals, Diffie-
Hellman public value, and either its preshared key or digital certificate. The
remote host responds with the IKE SA policy it has selected, its Diffie-Hellman
public value, its preshared key or certificate, and authentication for the
session. The first host replies, authenticating the remote host and establishing
the IKE SA. Aggressive mode is quicker than main. However, because it
requires hosts to send identifying information before exchanges are
encrypted, it is less secure.
In the Secure Router OS, you configure the IKE mode in an IKE policy. You
configure the security proposals IKE uses in an IKE attribute policy.
Table 8-1 summarizes the configurations you must make for IKE phase 1.
Virtual Private Networks
Overview
8-11