Home Page

Firewalls

Email & Spam

Security Terminology

Security Topics

VPN & Cryptography

Wireless

 

 

 

VPN Terminology

VPN Tutorial Guide

3DES

AES

Aggressive Mode

Authentication Header

Asymmetric Encryption

Authentication

Certification Authority

Data Integrity

DES

Diffie-Hellman

Digital Certificate

Dynamic IP addresses

Encryption

ESP

IKE Oakley & ISAKMP

IPSec

IPSec Quick Mode

L2TP

Main Mode

MD5

NAT-T

PFS

PKI

Policy-vs-Route-VPN

PPTP

Pre-Shared Key

Remote Access User

RSA

Security Association

Sha-1

Site to Site VPN

SSL VPN

Transform Sets

Tunnel mode and Transport mode

VPN client tunneling option

VPN Topologies

VPN Tunnel

 

Security Products Guide

Which Anti-Virus Software?

Which Firewall?

Which Spam Filter?

Which Internet Security Suite?

 

What is Guide

What is a Firewall?

What is a Virus?

What is Spam?

 

Essential Security Guides

Securing Windows XP Guide

Securing Windows Vista Guide

A Guide to Wireless Security

 

Other

Top 8 Internet Security tips

Why both, Firewall and Anti Virus?

Free or purchased security - Which one?

 

 

IPSec Main mode - IPSec Site to Site VPN

 

 

Main Mode (Phase 1)

For a successful and secure communication using IPSec, the IKE (Internet Key Exchange) protocols takes part in a two step negotiation. Main mode or Aggressive mode (Phase 1) authenticates and/or encrypts the peers. Quick mode (Phase 2) negotiates the algorithms and agree on which traffic will be sent across the VPN. Below I discuss Main mode (Phase 1).

Security association is achieved in two ways, using main mode or aggressive mode. The purpose for Main mode or phase 1 is to setup a secure channel in which Quick mode or phase 2 can be negotiated in. Both devices in negotiation exchange credentials with each other in which they would have to match in order to successfully authorise to be able to make a VPN connection. This is achieved by both peers exchanging the identical pre-shared keys or using digital certificates. However both have to use one or the other. So if one device is using a pre-shared key, the other key must also use an identical pre-shared key, and same goes for digital certificates. When both peers have successfully achieved this, then they have successfully identified themselves to each other. In phase 1, Main mode is used and three 2 way exchanges between the initiator and receiver of the tunnel are achieved. Main mode provides identity protection by authenticating peer identities when pre shared keys are used, and is typically used for site to site tunnels. The IKE SA’s are used to protect the security negotiations.

You should use main mode when peers have static IP addresses. If one or the other peer does not use IP address as the identifier of that peer then Main mode can only be used if certificates are used for the credential methods.

Further Reading

Wikipedia's guide to Internet Key Exchange