Phase 1 ( ISAKMP Phase )
It has 2 Modes
Main Mode :
It has 6 messages :
- 1. ISAKMP policy (encr/hash/dh), Vendor ID =======>
- 2. <======= ISAKMP policy, Vendor ID (If the route is not there it wont go through)
- If policy matched,
- 3. Nounce (Hash of its PSK), Key exchange =======>
- 4. <======= Nounce (Hash of its PSK), Key exchange
- Shared Secret Key has been generated
- 5. ( PSK ) SSK =======>
- 6. <======= ( PSK ) SSK ( Phase 1 Tunnel up)
Aggressive Mode :
It has 3 messages
- Message 1 (A to B): ISAKMP Policy, Vendor Id, NAT-T, NONCE, Public Key
- Message 2 (B to A): The Same as above except NONCE
- Message 3 (A to B): PSK/PKI (Encrypted)
Note : Generally aggressive mode is required if the IP address of the initiator is unknown and pre-shard key is selected for authentication. Anyconnect VPN uses AM.
Phase 2 ( IKE Phase )
It has only one mode, Quick Mode
Quick Mode can operate in Tunnel and Transport Mode
It has 3 messages
- Message 1 (A to B): Transport Set, Proxy ID
- Message 2 (B to A): The same as above
- Message 3 (A to B): Hash (QM_IDLE state)
IKE Phase I key Negotiation Diagram :
IKE Phase II key Negotiation Diagram :
Leave A Comment?