Phase 1 and phase 2, Proposals, Authentication – equinux VPN Tracker 5.4.4 User Manual

Page 43

Advertising
background image

Phase 1 and Phase 2

Generating SAs according to IKE requires two phases.

Phase 1

is defined according to the ISAKMP standard, and generates an
ISAKMP-SA (or IKE-SA). Two modes are defined: The faster
Aggressive Mode uses three messages, while the more secure
Main Mode uses six (three two-way exchanges). Because the
participants’ identities are not exchanged securely in
Aggressive Mode, it does not provide identity protection.

The tunnel established in Phase 1 is used in

Phase 2 (Quick

Mode) to generate an IPSec-SA. Simply put: Phase 1
authenticates the peers, while Phase 2 configures the actual
VPN tunnel.

It may seem odd to use an SA (a Phase 1 tunnel) to create
another SA (a Phase 2 tunnel), but there are a number of good
reasons for this:
‣ A single ISAKMP-SA can be used to create multiple IPSec-SAs
‣ All authentication takes place in Phase 1, so the conversation

in Phase 2 can be restricted to the actual IPSec parameters

‣ The separation of phases maintains the independence of IKE

and IPSec – IKE is not restricted to creating IPSec-SAs in
Phase 2, and IPSec-SAs can be created according to other
standards

Proposals

In both phases, the participants need to agree upon at least
one proposal, i.e. a combination of
‣ An encryption algorithm
‣ A hash algorithm (which is used for authentication in Phase

2)

‣ A Diffie-Hellman group (which is optional in Phase 2).

These parameters are used to generate SAs based on a pre-
shared key or on certficates.

Authentication

To authenticate the peers in Phase 1, IKE uses either a

Pre-

shared Key (PSK), or Certificates. A PSK is nothing but a
password known to both peers. Digital certificates are
generally regarded as the best solution for determining user
identity with absolute confidentiality. A digital certificate is an
electronic document used to identify a single user, a server or a
company. Each certificate is signed by a trusted

Certificate

Authority (CA).

The two standard authentication methods can be
complemented by

Extended Authentication (XAUTH), an

extension to IKE. XAUTH defines an additional user
authentication in a separate phase right after Phase 1 (but
before the beginning of Phase 2).

The user authentication can be checked against an internal
database in the VPN device or external databases, e.g. against a

43

Advertising
See also other documents in the category equinux Software: