IKE Phases, Security Associations.
Day two, continuing with my CCNA Security notes the IKE mode has two primary phases of setting up an IPSec tunnel. During the IKE phase one, a secure session is created using either main mode or aggressive mode.
An IKE session begins with the initiator sending a proposal or proposals to the responder. The proposals define what encryption and authentication protocols are acceptable, how long keys should remain active, and whether perfect forward secrecy should be enforced.
Aggressive Mode squeezes the IKE SA negotiation into three packets, with all data required for the SA passed by the initiator. The responder sends the proposal, key material and ID, and authenticates the session in the next packet. The initiator replies by authenticating the session. Negotiation is quicker, and the initiator and responder ID pass in the clear.
The IPSec endpoints establish transform sets, hash methods and other parameter s required to establish a secure ISAKMP session. This collection is referred to as an SA (security association), the SA is bidirectional. The same key exchange is used for data traveling in both directions across the tunnel.
The IKE phase two happens within the protection of an IKE phase one tunnel. The IKE phase two is referred to as an IPSec tunnel. Unlike the IKE phase one, IKE phase two performs unidirectional SA negotiations. Each data flow uses a separate key exchange.