Phase 1 Exchange
The Phase 1 exchange is known as Main Mode. In the Phase 1 exchange, IKE uses public key encryption methods to authenticate itself with peer IKE entities. The result is an ISAKMP (Internet Security Association and KeyManagement Protocol) security association (SA). An ISAKMP SA is a secure channel for IKE to negotiate keying material for the IP datagrams. Unlike IPsec SAs, the ISAKMP SAs are bidirectional, so only one security association is needed.
How IKE negotiates keying material in the Phase 1 exchange is configurable. IKE reads the configuration information from the /etc/inet/ike/configfile. Configuration information includes the following:
Global parameters, such as the names of public key certificates
If perfect forward secrecy (PFS) is used
The interfaces that are affected
The algorithms that are used
The authentication method
The two authentication methods are preshared keys and public key certificates. The public key certificates can be self-signed, or the certificates can be issued by a certificate authority (CA) from a PKI (public key infrastructure) organization. Organizations include BaltimoreTechnologies, Entrust, GeoTrust, RSA Security, Sun Open Net Environment (Sun ONE) Certificate Server, and Verisign.
FAQs
During IKE Phase I: The peers authenticate, either by certificates or via a pre-shared secret. (More authentication methods are available when one of the peers is a remote access client.) A Diffie-Hellman key is created.
What happens in IKE phase 1? ›
IKE Phases
Phase 1: The two ISAKMP peers establish a secure and authenticated tunnel, which protects ISAKMP negotiation messages. This tunnel is known as the ISAKMP SA. There are two modes defined by ISAKMP: Main Mode (MM) and Aggressive Mode.
What is the IKE protocol for IPsec? ›
Internet Key Exchange (IKE) protocol— IPsec supports automated generation and negotiation of keys and security associations using the IKE protocol. Using IKE to negotiate VPNs between two endpoints provides more security than the manual key exchange.
What is the difference between IKE phase 1 and 2? ›
The IKE phase 1 tunnel is only used for management traffic. We use this tunnel as a secure method to establish the second tunnel called the IKE phase 2 tunnel or IPsec tunnel and for management traffic like keepalives. IKE builds the tunnels for us but it doesn't authenticate or encrypt user data.
What is the difference between IKE and IPSec? ›
The IKE protocol uses User Datagram Protocol (UDP) packets to create an SA, generally needing four to six packets with two to three messages. An IPsec stack intercepts relevant IP packets, encrypting and decrypting them as needed.
Which option can be used to authenticate the IPSec peers during IKE Phase 1? ›
IKE Phase supports the use of pre-shared keys or digital certificates (which use public key infrastructure, PKI) for mutual authentication of the VPN peers. Pre-shared keys are a simple solution for securing smaller networks because they don't require the support of a PKI infrastructure.
Which is better, IPSec or OpenVPN? ›
If you're looking for popular VPN protocols that are easy to configure and work well with NAT, OpenVPN may be the better choice. If you're looking for a highly scalable protocol that can establish point-to-point and site-to-site connections, IPsec may be the better choice.
What ports does IPSec use? ›
IPsec usually uses port 500.
What is the IPSec handshake? ›
IPSec handshake
The IPSec tunnel employs a two-phase handshake. The handshake interval is determined by the tunnel's lifetime values. Phase I (Also known as IKE or Gateway): This Security Association is in charge of the external IP communication between the Harmony SASE network and the remote IP using port 500/4500.
What are the 3 main protocols that IPSec uses? ›
Some IPSec protocols are given below.
- Authentication header (AH)
- Encapsulating security payload (ESP)
- Internet key exchange (IKE)
IPsec originally defined two protocols for securing IP packets: Authentication Header (AH) and Encapsulating Security Payload (ESP). The former provides data integrity and anti-replay services, and the latter encrypts and authenticates data.
Which VPN protocol is best for IPSec? ›
IKEv2/IPSec is lightweight and adequately secure. It's also agile, since it's one of the few protocols that can re-establish a VPN connection when you switch networks (e.g. from mobile data to Wi-Fi).
Why is the IKE Phase 1 main mode recommended? ›
The main mode protects the identity of the peers and is more secure because more packets are exchanged when setting up the tunnel. Main mode is the recommended mode for IKE negotiation if both peers support it.
Is IPSec phase 1 or 2? ›
The establishment of an IPsec connection takes place in two phases, called IKE phases: In IKE Phase 1, the two endpoints authenticate one another and negotiate keying material. This results in an encrypted tunnel used by Phase 2 for negotiating the ESP security associations.
What is the purpose of Phase 1 and Phase 2 of an IPSec IKEv2 VPN? ›
Phase 1 Security Associations are used to protect IKE messages that are exchanged between two IKE peers, or security endpoints. Phase 2 Security Associations are used to protect IP traffic, as specified by the security policy for a specific type of traffic, between two data endpoints.
What is Type 1 authentication method? ›
Type 1 – Something You Know – includes passwords, PINs, combinations, code words, or secret handshakes. Anything that you can remember and then type, say, do, perform, or otherwise recall when needed falls into this category.
What is IKE authentication? ›
Internet Key Exchange (IKE) is the protocol used to set up a secure, authenticated communications channel between two parties.
What are the three 3 common identification and authentication methods? ›
Authentication factors are divided into three categories:
- a password or a personal identification number (PIN) that you know;
- you have something: a token, such as a bank card;
- Biometrics, such as fingerprints and voice recognition, are examples of something you are.
IPSec VPN supports two main modes of authentication: pre-shared key (PSK) and public key infrastructure (PKI). PSK is a simple and common method that uses a secret password or passphrase that both devices share and use to generate encryption keys.
