Phase 1 of IKE Tunnel Negotiation

Phase 1 of an AutoKey IKE tunnel negotiation consists of the exchange of proposals for how to authenticate and secure the channel. The exchange can be in one of two modes: Aggressive or Main. Using either mode, the participants exchange proposals for acceptable security services such as:

• Encryption algorithms (DES and 3DES) and authentication algorithms (MD5 and SHA-1)—See Understanding IPsec Security Protocols.
• A Diffie-Hellman group—See Diffie-Hellman Exchange.
• Preshared Key or RSA/DSA certificates—see AutoKey IKE .

A successful Phase 1 negotiation concludes when both ends of the tunnel agree to accept at least one set of the Phase 1 security parameters proposed and then process them. Juniper Networks devices support up to four proposals for Phase 1 negotiations, allowing you to define how restrictive a range of security parameters for key negotiation you will accept.

The predefined Phase 1 proposals that JUNOS software provides are as follows:

• Standard—pre-g2-aes128-sha and pre-g2-3des-sha
• Compatible—pre-g2-3des-sha, pre-g2-3des-md5, pre-g2-des-sha, and pre-g2-des-md5
• Basic—pre-g1-des-sha and pre-g1-des-md5

You can also define custom Phase 1 proposals.

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.