Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding Phase 1 of IKE Tunnel Negotiation

    Phase 1 of an AutoKey Internet Key Exchange (IKE) tunnel negotiation consists of the exchange of proposals for how to authenticate and secure the channel. The participants exchange proposals for acceptable security services such as:

    A successful Phase 1 negotiation concludes when both ends of the tunnel agree to accept at least one set of the Phase 1 security parameters proposed and then process them. Juniper Networks devices support up to four proposals for Phase 1 negotiations, allowing you to define how restrictive a range of security parameters for key negotiation you will accept.

    Junos OS provides the following predefined Phase 1 proposals:

    • Standard—pre-g2-aes128-sha and pre-g2-3des-sha
    • Compatible—pre-g2-3des-sha, pre-g2-3des-md5, pre-g2-des-sha, and pre-g2-des-md5
    • Basic—pre-g1-des-sha and pre-g1-des-md5

    You can also define custom Phase 1 proposals.

    Phase 1 exchanges can take place in either main mode or aggressive mode. You can choose your mode during IKE policy configuration.

    This topic includes the following sections:

    Main Mode

    In main mode, the initiator and recipient send three two-way exchanges (six messages total) to accomplish the following services:

    • First exchange (messages 1 and 2)—Proposes and accepts the encryption and authentication algorithms.
    • Second exchange (messages 3 and 4)—Executes a DH exchange, and the initiator and recipient each provide a pseudorandom number.
    • Third exchange (messages 5 and 6)—Sends and verifies the identities of the initiator and recipient.

    The information transmitted in the third exchange of messages is protected by the encryption algorithm established in the first two exchanges. Thus, the participants’ identities are encrypted and therefore not transmitted “in the clear.”

    Aggressive Mode

    In aggressive mode, the initiator and recipient accomplish the same objectives as with main mode, but in only two exchanges, with a total of three messages:

    • First message—The initiator proposes the security association (SA), initiates a DH exchange, and sends a pseudorandom number and its IKE identity.
    • Second message—The recipient accepts the SA; authenticates the initiator; and sends a pseudorandom number, its IKE identity, and, if using certificates, the recipient's certificate.
    • Third message—The initiator authenticates the recipient, confirms the exchange, and, if using certificates, sends the initiator's certificate.

    Because the participants’ identities are exchanged in the clear (in the first two messages), aggressive mode does not provide identity protection.

    Note: When a dial-up VPN user negotiates an AutoKey IKE tunnel with a preshared key, aggressive mode must be used. Therefore, you must always use aggressive mode with the dynamic VPN feature. Note also that a dial-up VPN user can use an e-mail address, a fully qualified domain name (FQDN), or an IP address as its IKE ID. A dynamic peer can use either an e-mail address or an FQDN, but not an IP address.

     

    Related Documentation

     

    Published: 2012-06-29

    Previous Page Next Page