Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »




Internet Key Exchange
IKE Version 1 


Phase 1 
  • Main Mode:  ( site-2-site )
  1. Propose : Encryption and Authentication Algorithms
  2. Initiator and responder: Diffie-Hellman key exchange process  (send Public key + Random number )

            Pre-shared key

            Private Keys ( exchange using PKI ) 

  3. Use the encrypted communication channel

  4. Send IKE identification to authenticate itself


  • Aggressive Mode:  
  1. Initiator Propose : Encryption and Authentication Algorithms  + IKE identity to authenticate itself
  2. Responder Propose
  3. Secure channel for negotiating the IPsec VPN phase 2
Phase 2
IKE Version 2 



IKE-SA-INIT

IKE-AUTH

CREATE_CHILD_SA

INFORMATIONAL

Tunnel Mode ( most used )
  • encapsulation of the layer 3 / original packet
  • With ESP(+AH) or just AH



Transport Mode 

encapsulation of layer 4 of the original packet


PKI or  Public Key Infrastructure


Large Network

Stronger Auth Security

Exchange of Asymmetrical Keys ( Private and Public )

Private key use to decrypt

  

Issuer, 


Digital certificate: 

Based on X.509

Information:

Issuer / ID

Serial Number

Expiration dates / Validity

Digital signature ( from the Certificate Authority)





Finger Print

File ( or Transaction)  → hashed


Encryption that use Asymmetrical Key
Encryption that use symmetrical Key










  • No labels