Line 603: |
Line 603: |
| </ul> | | </ul> |
| | | |
− | ====Phase settings====
| + | ===Phase settings=== |
| ---- | | ---- |
| + | IKE (Internet Key Exchange) is a protocol used to set up security associations (SAs) for the IPsec connection. This process is required before any IPsec tunnel can be established. It is done in two phases: |
| | | |
| + | <table border=1; style="border-collapse: collapse;"> |
| + | <tr> |
| + | <th width=400><span style="color: #0054A6;">Phase</span></th> |
| + | <th colspan="2"><span style="color: #0054A6;">Mode</span></th> |
| + | </tr> |
| + | <tr style="vertical-align: top;"> |
| + | <td><b>Phase 1</b> |
| + | <ul> |
| + | <li>Establishes a secure channel between peers</li> |
| + | <li>Authenticates peers</li> |
| + | <li>Negotiates SA policy</li> |
| + | <li>Shares secret keys</li> |
| + | <li>Establishes secure tunnel for phase 2</li> |
| + | </ul> |
| + | </td> |
| + | <td width=350>Main mode (figure 1) |
| + | <ul> |
| + | <li>6 packets exchanged</li> |
| + | <li>Identity protected during exchange</li> |
| + | </ul> |
| + | </td> |
| + | <td width=350>Aggressive mode (figure 2) |
| + | <ul> |
| + | <li>3 packets exchanged</li> |
| + | <li>Identity information exchanged before a secure channel is established</li> |
| + | </ul> |
| + | </td> |
| + | </tr> |
| + | <tr style="vertical-align: top;"> |
| + | <td><b>Phase 2</b> |
| + | <ul> |
| + | <li>Sets up matching IPsec SAs</li> |
| + | <li>Periodically renegotiates IPsec SAs</li> |
| + | </ul> |
| + | </td> |
| + | <td colspan="2">Quick mode |
| + | <ul> |
| + | <li>3 packets exchanged</li> |
| + | <li>IPsec SA parameters (ESP/AH, SHA/MD5) established</li> |
| + | <li>SA lifetime set</li> |
| + | </ul> |
| + | </td> |
| + | </tr> |
| + | </table> |
| + | <br> |
| + | <table> |
| + | <tr> |
| + | <td><b>Figure 1</b></td> |
| + | <td><b>Figure 2</b></td> |
| + | </tr> |
| + | <tr> |
| + | <td width=500>[[File:{{{file_ipsec_main_mode}}}]]</td> |
| + | <td width=500>[[File:{{{file_ipsec_aggressive_mode}}}]]</td> |
| + | </tr> |
| + | </table> |
| + | ---- |
| [[File:{{{file_ipsec_phase}}}]] | | [[File:{{{file_ipsec_phase}}}]] |
| | | |
− | | + | <table class="nd-mantable"> |
| + | <tr> |
| + | <th>Field name</th> |
| + | <th>Value</th> |
| + | <th>Description</th> |
| + | </tr> |
| + | <tr> |
| + | <td>Encryption algorithm</td> |
| + | <td>DES | 3DES | AES128 | AES192 | AES256; Default: <b>3DES</b></td> |
| + | <td>Algorithm used for data encryption.</td> |
| + | </tr> |
| + | <tr> |
| + | <td>Authentication/Hash algorithm</td> |
| + | <td>MD5 | SHA1 | SHA256 | SHA384 | SHA512; Default: <b>SHA1</b></td> |
| + | <td>Algorithm used for exchanging authentication and hash information.</td> |
| + | </tr> |
| + | <tr> |
| + | <td>DH group/PFS group</td> |
| + | <td>MODP768 | MODP1024 | MODP1536 | MODP2048 | MODP3072 | MODP4096; Default: <b>MODP1536</b></td> |
| + | <td></td> |
| + | </tr> |
| + | <tr> |
| + | <td>Lifetime</td> |
| + | <td>integer; Default: <b>8 hours</b></td> |
| + | <td>Defines a time period after which the phase will re-initiate its exchange of information.</td> |
| + | </tr> |
| + | </table> |
| | | |
| ===Pre-shared keys=== | | ===Pre-shared keys=== |