Specifications
Chapter 5. Configuring Software Options 137
during this phase. Phase 2 IKE then exchanges proposals for IPSec security attributes, generates the encryption
keys and sets up IPSec Security Associations (SAs) for moving user data.
Main Mode and Aggressive Mode
The router supports two Phase 1 IKE modes: main mode and aggressive mode. These modes apply only to the
Phase 1 negotiations, not to the ensuing data transmission.
Main mode is used when both source and destination IP addresses are known. In main mode, only two options
require definition initiallyÑthe remote peer IP address and the shared secret.
Aggressive mode is used when either the source or destination IP address could change, as with a remote modem
or DSL connection. In aggressive mode, additional information must be specified at the beginning of a session.
This additional information includes the remote gatewayÕs IP address, the local and remote peer IDs, and an ID
type. This information is checked against the routerÕs Security Association (SA) database. If a match is found, a
tunnel session can be established.
Phase 1 IKE:
Router
Who are you?
Router
Security attributes?
Router
Peer identities
Proposals
Secure tunnel
Phase 2 IKE:
Router
Router
Router
Router
Router
Key generation
Encryption keys?
IPSec Proposals
Key exchange
Router
Router
Data flow
IPSec Security Associations
Router
Router
Security attributes?
Phase 1 IKE Ñ Main Mode:
Router Router
Fixed IP Address
Fixed IP Address
Shared secret
Phase 1 IKE Ñ Aggressive Mode:
Router Router
Fixed IP Address
Shared secret
Known ID (e-mail addr.
or domain name)