Specifications
Negotiation
90 AVM Access Server – 5 AVM Access Server Concepts and Functional Principles
IKE Phase 1
The purpose of IKE Phase 1 is to negotiate an SA to provide secure com-
munication during IKE Phase 2. In IKE Phase 1, the two peer systems
perform the following steps:
They communicate their identities.
They authenticate themselves.
They negotiate an encryption algorithm to be used in IKE Phase 2.
They negotiate a Diffie-Hellman group to use in generating keys.
Each system generates a private key, and generates a correspond-
ing public key using the negotiated Diffie-Hellman group. The
public keys are exchanged. Each system generates the secret key
to be used for the encryption of IKE Phase 2 communication
based on its own private key, the peer’s public key and the negoti-
ated Diffie-Hellman group. The resulting key is identical in both
systems.
The two systems negotiate the lifetime of the SA.
There are two protocol modes to choose from in IKE Phase 1: “main
mode” and “aggressive mode”. Main mode requires more messages to
be exchanged than aggressive mode. In aggressive mode, the identi-
ties are exchanged in the first and second messages. In main mode
this occurs later. If authentication takes place using pre-shared keys,
and the remote site’s public IP address is dynamically assigned by the
Internet Service Provider and hence not known, then IKE Phase 1 must
be conducted in aggressive mode. Because the dynamically assigned
IP address is not sufficient to identify the remote site, the identities
must be exchanged earlier. This is only possible in aggressive mode.
When certificates are used for authentication, main mode is prefera-
ble.