Ike functions – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 383
369
2.
Phase 2—Using the ISAKMP SA established in phase 1, the two peers negotiate to establish IPsec
SAs.
Figure 149 IKE exchange process in main mode
As shown in
, the main mode of IKE negotiation in phase 1 involves three pairs of messages:
•
SA exchange, used for negotiating the security policy.
•
Key exchange, used for exchanging the Diffie-Hellman public value and other values like the
random number. Key data is generated in this stage.
•
ID and authentication data exchange, used for identity authentication and authentication of data
exchanged in phase 1.
The main difference between the main mode and the aggressive mode is that the aggressive mode does
not provide identity protection and exchanges only three messages, rather than three pairs. The main
mode provides identity protection but is slower.
IKE functions
IKE provides the following functions for IPsec:
•
Automatically negotiates IPsec parameters such as the keys.
•
Performs DH exchange when establishing an SA, making sure that each SA has a key independent
of other keys.
•
Automatically negotiates SAs when the sequence number in the AH or ESP header overflows,
making sure that IPsec provides the anti-replay service normally by using the sequence number.
•
Provides end-to-end dynamic authentication.
•
Identity authentication and management of peers influence IPsec deployment. A large-scale IPsec
deployment needs the support of certificate authorities (CAs) or other institutes which manage
identity data centrally.
Algorithm
negotiation
Send local
IKE policy
Search for
matched policy
Receive the
policy
Generate the key
Perform ID/exchange
authentication
Generate the key
Peer 1
Peer 2
Key generation
SA exchange
Key exchange
Identity
authentication
Initiator’s policy
Confirmed policy
Initiator’s key information
Receiver’s key
information
Initiator’s identity and
authentication data
Receiver’s identity and
authentication data
Perform ID/exchange
authentication
- H3C WX5500E Series Access Controllers H3C WX3500E Series Access Controllers H3C WX2500E Series Access Controllers H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C LSWM1WCM10 Access Controller Module H3C LSUM3WCMD0 Access Controller Module H3C LSUM1WCME0 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C WA3600 Series Access Points H3C WA2600 Series WLAN Access Points H3C S10500 Series Switches H3C S5800 Series Switches H3C S5820X Series Switches H3C S12500 Series Switches H3C S9500E Series Switches H3C MSR 5600 H3C MSR 50 H3C MSR 3600 H3C MSR 30 H3C MSR 2600 H3C MSR 20-2X[40] H3C MSR 20-1X H3C MSR 930 H3C MSR 900 H3C SR8800 H3C SR6600-X H3C SR6600 H3C SecPath F5020 H3C SecPath F5040 H3C VMSG VFW1000