HP-UX IPSec version A.02.00 Administrator's Guide
HP-UX IPSec Overview
Internet Key Exchange (IKE)
Chapter 138
Internet Key Exchange (IKE)
Before IPSec sends authenticated or encrypted IP data, both the sender
and receiver must agree on the protocols, encryption algorithms and keys
to use. HP-UX IPSec uses the Internet Key Exchange (IKE) protocol to
negotiate the encryption and authentication methods, and generate
shared encryption keys. The IKE protocol also provides primary
authentication - verifying the identity of the remote system before
negotiating the encryption algorithm and keys.
The IKE protocol is a hybrid of three other protocols: Internet Security
Association and Key Management Protocol (ISAKMP), Oakley, and
Versatile Secure Key Exchange Mechanism for Internet protocol
(SKEME). ISAKMP provides a framework for authentication and key
exchange, but does not define them (neither authentication nor key
exchange). The Oakley protocol describes a series of modes for key
exchange and the SKEME protocol defines key exchange techniques.
Security Associations (SAs) and IKE Phases
A Security Association (SA) is a secure communication channel and its
parameters, such as the encryption algorithm, keys and lifetime. There
are two SA negotiation phases within ISAKMP, which are sometimes
referred to by the Oakley modes used to establish the SAs. The general
flow of the IKE protocol is as follows:
1. ISAKMP Phase One (Main Mode, MM)
• Negotiate and establish an ISAKMP SA, a secure communication
channel for further IKE communication.
The two systems generate a Diffie-Hellman shared value
(described below) that is used as the base for a symmetric
(shared) key, and further IKE communication is encrypted using
this symmetric key.
• Verify the remote system’s identity (primary authentication)
2. ISAKMP Phase Two (Quick Mode, QM)