Are you sure about the differences you give between main mode and aggressive mode? I thought that datas of the second phase of IKE negociation are always protected by the SA ISAKMP negociated during the first phase, whatever the mode you use. Main mode is based on a 6 messages exchange, and aggressive mode on a 3 messages exchange. The problem with aggressive mode is that it does not provide the identity protection (chich is logical since the ID payload is sent in the first message), and you can not have any negociation for the DH group. Though I may be confused about what you say or how I understand, since IKE is far from being a simple protocol ;) Regards David > -----Message d'origine----- > De: Tina Bird [SMTP:tbird@precision-guesswork.com] > Date: mardi 26 juin 2001 18:47 > Ā: priya subramanian > Cc: pen-testat_private > Objet: Re: how IKE works in case of Checkpoint Firewall > > First off, note that Checkpoint's naming of encryption > mechanisms is confusing. IKE is not an encryption or > VPN protocol. It's a protocol for host authentication, > negotiation of security parameters for an encrypted > connection, and key generation and exchange. What > Checkpoint really means is "IPsec VPN with dynamic key > exchange." End rant. > > IKE consists of two phases. Phase One includes verification > of the identities of the local and remote systems (via pre- > shared secrets or certificates) and negotiation of the security > parameters for Phase Two. If Phase Two does >not< need to be > encrypted, then the Phase One exchange is called "IKE Aggressive > Mode." If Phase Two is required to use a secure channel, then > session keys are generated in Phase One, and Phase One is called > "IKE Main Mode." Main Mode is about three times slower than > Aggressive mode because of the key generation step. The > security parameters negotiated for the Phase Two connection > are the IKE or ISAKMP Security Association. > > One the hosts are authenticated, then Phase Two (also known as > "IKE Quick Mode") proceeds -- this is the piece that negotiates > the security parameters for the actual IPsec connection, including > IIPsec protocols (AH or ESP), lifetime of connection, encryption > and hash algorithms, and the initial session key for the > connection. Assuming that the hosts can agree on a common set > of security parameters, once Quick Mode is complete, the IPsec > connection goes live. This second set of parameters is the IPsec > Security Association. > > You could >never< tell that I'm revising my USENIX VPN class! > > Hope that helps -- Tina Bird > VPN List Moderator > > On Mon, 25 Jun 2001, [iso-8859-1] priya subramanian wrote: > > > Date: Mon, 25 Jun 2001 06:02:31 +0100 (BST) > > From: "[iso-8859-1] priya subramanian" <pentestingat_private> > > To: pen-testat_private > > Subject: how IKE works in case of Checkpoint Firewall > > > > In my understanding IKE invloves two phases wherin the > > DH keys and the CA keys are exchanged and a secret key > > is derived for encryption. > > > > But when configuring IKE VPN in a checpoint firewall > > we do exchenge any DH keys.. only a preshared secret > > is directly given. This is really confusing. > > > > Could anyone elaborate on how exactly IKe encryption > > works with Firewall-1 > > > > Regards > > Priya > > > > ____________________________________________________________ > > Do You Yahoo!? > > For regular News updates go to http://in.news.yahoo.com > > > > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html > life: http://kubarb.phsx.ukans.edu/~tbird > work: http://www.counterpane.com > > > -------------------------------------------------------------------------- > ------------ > > This list is provided by the SecurityFocus Security Intelligence Alert > (SIA) Service > For more information on SecurityFocus' SIA service which automatically > alerts you to > the latest security vulnerabilities please see: > > https://alerts.securityfocus.com/ -------------------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 21:43:37 PDT