Хвостат Хвостатыч (hvostat_hvostat) wrote,
Хвостат Хвостатыч
hvostat_hvostat

Режимы согласования 1-й фазы в IKE и IKEv2

Для IKE:
Main mode: 9 messages

Initiator proposes the encryption and authentication algorithms to be used to establish the VPN.

Responder must accept the proposal and provide the other VPN gateway with a proposal of the encryption and authentication algorithm.

Initiator starts the Diffie-Hellman key exchange process by presenting a generated public key, along with a pseudorandom number.

Responder responds to the initiator with its public key as part of the Diffie-Hellman key exchange. After this message, both parties communicate via an encrypted channel.

Initiator sends the responder its IKE identity to authenticate itself.

Responder sends the initiator its IKE identity. Message 6 completes Phase 1 of the IKE negotiation.

Aggressive mode: 6 messages

Initiator proposes the encryption and authentication algorithms to be used, begins the Diffie-Hellman key exchange, and sends its IKE identity and pseudorandom number.

Responder must accept the proposal, and will provide the initiator with a pseudo-random number and the IKE identity of the responder. The responder will have also authenticated the initiator in this stage.

Initiator authenticates the responder and confirms the exchange. At this point, both parties have established a secure channel for negotiating the IPsec VPN in Phase 2 and Phase 1 is now complete.

Для IKEv2:

Нет понятия "режим".

В IKEv2 термин фаза1 заменен на IKE_SA_INIT (обмен двумя сообщениями, обеспечивающий согласование протоколов шифрования/хеширования и генерацию DH ключей), а фаза2 – на IKE_AUTH (тоже два сообщения, реализующие непосредственно аутентификацию пиров и генерацию ключей для ESP).
Обмен данными в IKE_AUTH всегда зашифрован с помощью SA, сформированными IKE_SA_INIT.
Isakmp SA называются ikev2 SA.
Ipsec SA — Child SA.

_
Tags: diffie-hellman, ike, ipsec, juniper, заметки на полях, шифрование
Subscribe

  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 8 comments