Nortel 4134 用户指南
Shared key negotiation with IKE
49
IKE modes
With IKE, the shared key negotiation is carried out in two phases.
Phase 1: main mode or aggressive mode
The intent of phase 1 is to establish the authenticated symmetric key and
create an IKE security association. This can be achieved using one of two
modes: main mode or aggressive mode.
create an IKE security association. This can be achieved using one of two
modes: main mode or aggressive mode.
•
Main mode: Main mode provides for a powerful and flexible negotiation
mechanism involving six message exchanges between the security
gateways. It also provides identity protection for the parties involved in
the negotiation. This is normally used in site to site VPN applications.
mechanism involving six message exchanges between the security
gateways. It also provides identity protection for the parties involved in
the negotiation. This is normally used in site to site VPN applications.
Figure 11
IKE main mode
IKE main mode
•
Aggressive mode: Aggressive mode provides a quicker negotiation
mechanism involving only three message exchanges. However,
aggressive mode does not provide identity protection.
mechanism involving only three message exchanges. However,
aggressive mode does not provide identity protection.
Aggressive mode is normally used in remote access VPN applications.
In remote access VPN, main mode with pre-shared key cannot function
when there is a NAT in the middle. In remote-access applications, it is
best to assume that there is a NAT in the middle and to use aggressive
mode, which functions with a NAT in the middle. Most site-to-site
applications provide native reachability (that is, no NAT in the middle)
between the peers and can therefore use main mode with identity
protection.
In remote access VPN, main mode with pre-shared key cannot function
when there is a NAT in the middle. In remote-access applications, it is
best to assume that there is a NAT in the middle and to use aggressive
mode, which functions with a NAT in the middle. Most site-to-site
applications provide native reachability (that is, no NAT in the middle)
between the peers and can therefore use main mode with identity
protection.
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.