Manualshelf

HP-UX IPSec version A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
51525354555657585960
HP-UX IPSec Overview
IPsec Protocol Suite
Chapter 1 47
Internet Key Exchange (IKE)
Before IPsec sends authenticated or encrypted IP data, both the sender
and receiver must agree on the protocols, encryption algorithms and keys
to use. HP-UX IPSec uses the Internet Key Exchange (IKE) protocol to
negotiate the encryption and authentication methods, and generate
shared encryption keys. The IKE protocol also provides primary
authentication - verifying the identity of the remote system before
negotiating the encryption algorithm and keys.
The IKE protocol is a hybrid of three other protocols: Internet Security
Association and Key Management Protocol (ISAKMP), Oakley, and
Versatile Secure Key Exchange Mechanism for Internet protocol
(SKEME).
Security Associations (SAs) and IKE Phases
A Security Association (SA) is a secure communication channel and its
operating parameters, such as the encryption algorithm, keys and
lifetime. There are two SA negotiation phases within IKE—Phase 1 and
Phase 2. The general flow of the IKE protocol is as follows:
1. IKE Phase 1 (Establish an IKE SA)
The purpose of IKE Phase 1 is to establish an IKE SA, which is a
secure, encrypted communication channel used for further IKE
communication. During Phase 1 negotiations, the IKE peers
authenticate the identity each other and generate a Diffie-Hellman
shared value (described in “Generating Shared Keys:
Diffie-Hellman” on page 49) that is used as the base for shared keys.
IKE can use one of two methods, or exchange types, to establish the
IKE SA:
Main Mode
Aggressive Mode
In Main Mode negotiations, the IKE peers select IKE parameters
(configured in IKE policies) based on the remote system’s IP address
in the IP packet header. The IKE peers exchange ID information
after they establish a secure, encrypted communication channel.
In Aggressive Mode negotiations, the IKE initiator sends ID
information in the first packet. This enables the IKE responder to
select IKE parameters, such as the encryption information, based on