Main Mode Key Exchanges
Figure 13-6 shows aggressive mode key exchanges.
NOTE There are three message exchanges in an aggressive mode exchange:
■ The first two messages negotiate policy, exchange public-key values, and authenticate
the responder.
■ The third message authenticates the initiator and is normally postponed until the
negotiation is complete and is not sent as clear text.
NOTE Diffie-Hellman is a public-key cryptography protocol that is used between two
IPSec peers to derive a shared secret over an unsecured channel without transmitting it to
each peer. The Security Appliance supports three Diffie-Hellman groups: Group 1 is 768-
bit, group 2 is 1024-bit, and group 5 is 1536-bit.
Initiator Responder
ISAKMP Header
with SA Payload
ISAKMP Header
with SA Payload
ISAKMP Header
Key Exchange
Nonce (initiator)
ISAKMP Header
Key Exchange
Nonce (responder)
ISAKMP Header
(with payload encryption)
Identification (ISAKMP responder)
HASH Payload (responder)