Main Mode

encryption, and is more vulnerable to Denial of Service attacks.

Phase II, known as Quick Mode, establishes symmetrical IPSec Security Associations for both AH and ESP. It does this by negotiating IPSec parameters, exchange nonces to derive session keys from the IKE shared secret, exchange DH values to generate a new key, and identify which traffic this SA bundle will protect using selectors (IDi and IDr payloads).

The following is an illustration on how data is handled with IKE:

 

 

 

 

 

Start

Phase 1

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Negotiate

 

Main Mode

or

 

Aggressive Mode

ISAKMP SA

 

 

 

 

 

 

 

Mutual Authentication

New IPSec tunnel or Rekeying

 

 

 

Phase 2

Negotiate SAs

For AH and ESP

Quick Mode

With PFS

or

Quick Mode Without PFS

Protected Data Transfer

165

Page 165
Image 165
Billion Electric Company 30 user manual Main Mode, Aggressive Mode, Quick Mode With PFS, Quick Mode Without PFS