Operation Manual
Negotiation
NetWAYS/ISDN – 3 Remote Access with NetWAYS/ISDN 43
the duration of validity, or “lifetime”, of the SA
SAs have a limited period of validity. When the lifetime of an
SA has elapsed, a new SA must be negotiated. A separate SA
is negotiated for each direction of communication. The SAs
are stored in the security association database.
IKE negotiation takes place in two phases.
IKE Phase 1
The purpose of IKE Phase 1 is to negotiate an SA to provide
secure communication during IKE Phase 2. In IKE Phase 1,
the two peer systems perform the following steps:
They authenticate themselves.
They negotiate an encryption algorithm to be used in
IKE Phase 2.
They negotiate a Diffie-Hellman group.
Each system generates a private key, and generates a
corresponding public key using the negotiated Diffie-
Hellman group. The public keys are exchanged. Each
system generates the secret key to be used for the en-
cryption of IKE Phase 2 communication based on its
own private key, the peer's public key and the negotiat-
ed Diffie-Hellman group. The resulting key is identical in
both systems.
The two systems negotiate the lifetime of the SA.
There are two protocol modes to choose from in IKE Phase 1:
“main mode” and “aggressive mode”. Main mode requires
more messages to be exchanged than aggressive mode. If
the NetWAYS/ISDN computer’s public IP address is dynami-
cally assigned by the Internet Service Provider and hence not
known, then IKE Phase 1 must be conducted in aggressive
mode.
netways-e.book Seite 43 Freitag, 28. November 2003 3:51 15