IKE negotiation process
IKE negotiates keys and SAs for IPsec in two phases:
Phase 1—The two peers establish an IKE SA, a secure, authenticated channel for communication. In this phase, two modes are available: main mode and aggressive mode.
Phase 2—Using the IKE SA established in phase 1, the two peers negotiate to establish IPsec SAs.
Figure 95: IKE exchange process in main mode
As shown in Figure 96, the main mode of IKE negotiation in phase 1 involves three pairs of messages:
SA exchange—Used for negotiating the IKE security policy.
Key exchange—Used for exchanging the DH public value and other values, such as the random number. The two peers use the exchanged data to generate key data and use the encryption key and authentication key to ensure the security of IP packets.
ID and authentication data exchange—Used for identity authentication.
The main difference between the main mode and the aggressive mode is that the aggressive mode does not provide identity information protection and exchanges only three messages, rather than three pairs. The main mode provides identity information protection but is slower.