Режимы согласования 1-й фазы в IKE и IKEv2
Для IKE:
Main mode: 9 messages
Initiator proposes the encryption and authentication algorithms to be used to establish the VPN.
Responder must accept the proposal and provide the other VPN gateway with a proposal of the encryption and authentication algorithm.
Initiator starts the Diffie-Hellman key exchange process by presenting a generated public key, along with a pseudorandom number.
Responder responds to the initiator with its public key as part of the Diffie-Hellman key exchange. After this message, both parties communicate via an encrypted channel.
Initiator sends the responder its IKE identity to authenticate itself.
Responder sends the initiator its IKE identity. Message 6 completes Phase 1 of the IKE negotiation.
Aggressive mode: 6 messages
Initiator proposes the encryption and authentication algorithms to be used, begins the Diffie-Hellman key exchange, and sends its IKE identity and pseudorandom number.
Responder must accept the proposal, and will provide the initiator with a pseudo-random number and the IKE identity of the responder. The responder will have also authenticated the initiator in this stage.
Initiator authenticates the responder and confirms the exchange. At this point, both parties have established a secure channel for negotiating the IPsec VPN in Phase 2 and Phase 1 is now complete.
Для IKEv2:
Нет понятия "режим".
В IKEv2 термин фаза1 заменен на IKE_SA_INIT (обмен двумя сообщениями, обеспечивающий согласование протоколов шифрования/хеширования и генерацию DH ключей), а фаза2 - на IKE_AUTH (тоже два сообщения, реализующие непосредственно аутентификацию пиров и генерацию ключей для ESP).
Обмен данными в IKE_AUTH всегда зашифрован с помощью SA, сформированными IKE_SA_INIT.
Isakmp SA называются ikev2 SA.
Ipsec SA - Child SA.
_
Main mode: 9 messages
Initiator proposes the encryption and authentication algorithms to be used to establish the VPN.
Responder must accept the proposal and provide the other VPN gateway with a proposal of the encryption and authentication algorithm.
Initiator starts the Diffie-Hellman key exchange process by presenting a generated public key, along with a pseudorandom number.
Responder responds to the initiator with its public key as part of the Diffie-Hellman key exchange. After this message, both parties communicate via an encrypted channel.
Initiator sends the responder its IKE identity to authenticate itself.
Responder sends the initiator its IKE identity. Message 6 completes Phase 1 of the IKE negotiation.
Aggressive mode: 6 messages
Initiator proposes the encryption and authentication algorithms to be used, begins the Diffie-Hellman key exchange, and sends its IKE identity and pseudorandom number.
Responder must accept the proposal, and will provide the initiator with a pseudo-random number and the IKE identity of the responder. The responder will have also authenticated the initiator in this stage.
Initiator authenticates the responder and confirms the exchange. At this point, both parties have established a secure channel for negotiating the IPsec VPN in Phase 2 and Phase 1 is now complete.
Для IKEv2:
Нет понятия "режим".
В IKEv2 термин фаза1 заменен на IKE_SA_INIT (обмен двумя сообщениями, обеспечивающий согласование протоколов шифрования/хеширования и генерацию DH ключей), а фаза2 - на IKE_AUTH (тоже два сообщения, реализующие непосредственно аутентификацию пиров и генерацию ключей для ESP).
Обмен данными в IKE_AUTH всегда зашифрован с помощью SA, сформированными IKE_SA_INIT.
Isakmp SA называются ikev2 SA.
Ipsec SA - Child SA.
_