Ulterius Technologies LLC FDN40 Manual De Usuario
CHAPTER 8: IKE
Configuration User Manual
158
© Ulterius Technologies, LLC 2016. Confidential & Proprietary.
Message 6: Responder sends IKE ID and authentication data.
8.1.1.1.2
Aggressive Mode
In an AM exchange, the IKE entities use the following three messages to
establish the IKE SA:
establish the IKE SA:
Message 1: Initiator sends IKE SA proposals, Diffie-Hellman public value,
IKE ID and authentication data.
IKE ID and authentication data.
Message 2: Responder sends accepted IKE SA proposal, Diffie-Hellman
public value, IKE ID, and authentication data.
public value, IKE ID, and authentication data.
Message 3: Initiator sends Diffie-Hellman secured message.
8.1.1.2
Phase 2 - Quick Mode
After an IKEv1 SA is established, the two systems have a secure channel for
negotiating IPsec SAs. The IPsec SAs determine IPSec transformation(s)
used (ESP (Encapsulation Security Payload) and/or AH (Authentication
Header)), the encryption keys for ESP/ESP and other parameters. IPsec SAs
are negotiated in pairs: an outbound SA for packets from the local network to
the remote network and an inbound SA for packets from the remote network
to the local network.
negotiating IPsec SAs. The IPsec SAs determine IPSec transformation(s)
used (ESP (Encapsulation Security Payload) and/or AH (Authentication
Header)), the encryption keys for ESP/ESP and other parameters. IPsec SAs
are negotiated in pairs: an outbound SA for packets from the local network to
the remote network and an inbound SA for packets from the remote network
to the local network.
In a QM exchange, the following three messages are required to establish an
IPsec SA pair:
IPsec SA pair:
Message 1: Initiator sends IPsec SA proposals, SPI (Security Parameter
Index) and traffic IDs.
Index) and traffic IDs.
Message 2: Responder sends accepted IPsec SA proposal, SPI, and
traffic IDs.
traffic IDs.
Message 3: Initiator sends hash message to prove liveness.
8.1.2
IKEv2
IKEv2 uses the following four messages to establish an IKE SA and an initial
IPsec SA pair.
IPsec SA pair.
Initial request/response of an IKE session (IKE_SA_INIT) negotiates
security parameters for the IKE_SA, sends nonces, and sends Diffie-
Hellman values.
security parameters for the IKE_SA, sends nonces, and sends Diffie-
Hellman values.
Next request/response (IKE_AUTH) transmits identities, proves
knowledge of the secrets corresponding to the two identities, and sets up
an SA for the first (and often only) AH and/or ESP CHILD_SA.
knowledge of the secrets corresponding to the two identities, and sets up
an SA for the first (and often only) AH and/or ESP CHILD_SA.
Child Exchange (IKE_CHILD) request/response messages are used to
refresh the already existing IKE/IPSec SAs or create new IPSec SAs.
refresh the already existing IKE/IPSec SAs or create new IPSec SAs.
Informational Exchange (IKE_INFO) request/response messages are
used to send control messages to the peer.
used to send control messages to the peer.