Download Secure Entry Client

SECURE ENTRY CLIENT
n
examples and explanations
IKE Modes
Essentially two types of IKE policies can be configured. They differ according to the
type of authentication, which can be either over Pre-shared Key or RSA signature.
Each of the two types of Internet Key Exchange can be executed in two different modes. These are; Main Mode also referred to as Identity Protection Mode or Aggressive
Mode. These modes are differentiated by the number of messages and by the encryption.
In Main Mode (standard setting) six messages are sent over the Control Channel and
the last two messages are encrypted. The last two messages contain the user ID, the signature, the certificate and, if required, a hash value. This is why it is also known as
Identity Protection Mode.
In Aggressive Mode only three messages are sent over the Control Channel and nothing
is encrypted.
You determine the IKE mode (Exchange Mode), Main Mode or Aggressive Mode
“Security” parameter fields under “Link Profiles” (for a dynamic SPD) and under “IPSec, Secure Policy Database” (for a static SPD). (See also → Exchange Mode).
IKE Main Mode (Identity Protection Mode)
with Preshared Keys
Initiator
Destination
Message #1: Header, Security Association
Message #2: Header, Security Association
Message #3: Header, Key Exchange, Nonce
Message #4: Header, Key Exchange, Nonce
Message #5: Header, ID, Hash
Message #6: Header, ID, Hash
If the pre-shared key method is used in Main Mode then the client on the VPN/Gateway must
be clearly identifiable by his IP address. This is because the pre-shared key will be introduced
into the symmetric key calculation and encrypted before the transfer of any other information
that could identify the client. However a client dialing in to the provider is not identifiable by
an IP address because he receives a new one with each dial in. This means that in Main Mode
only the same pre-shared key can be given out which weakens the authentication.
188
© NCP engineering GmbH