Home Page

VPN & Cryptography

Firewalls

Email & Spam

Security Terminology

 

VPN Terminology

VPN Tutorial Guide

3DES

AES

Aggressive Mode

Authentication Header

Asymmetric Encryption

Authentication

Certification Authority

Data Integrity

DES

Diffie-Hellman

Digital Certificate

Dynamic IP addresses

Encryption

ESP

IKE Oakley & ISAKMP

IPSec

IPSec Quick Mode

L2TP

Main Mode

MD5

NAT-T

PFS

PKI

Policy-vs-Route-VPN

PPTP

Pre-Shared Key

Remote Access User

RSA

Security Association

Sha-1

Site to Site VPN

SSL VPN

Transform Sets

Tunnel mode and Transport mode

VPN client tunneling option

VPN Topologies

VPN Tunnel

 

IPsec Main mode VPN Tutorial

 

 

For a successful and secure communication using IPsec, the IKE (Internet Key Exchange) protocol takes part in a two-step negotiation. The first step is to use Main mode or Aggressive mode (Phase 1) that authenticates and/or encrypts the peers. In the second step, Quick mode (Phase 2) negotiates the algorithms and agrees on which traffic will be sent across the VPN. Below we will take a look at Main mode (Phase 1).

Security association is achieved in two ways, using Main mode or Aggressive mode. The purpose for Main mode or phase 1 is to setup a secure channel in which Quick mode or phase 2 can be negotiated in. Both devices in negotiation exchange credentials with each other in which they would have to match in order to successfully authorise to be able to establish a VPN connection. This is achieved by both peers exchanging the identical pre-shared keys or by using digital certificates. However both devices have to use one form of identification or the other. So if one device is using a pre-shared key to prove its identity, then the other device must also use an identical pre-shared key, and same goes for digital certificates, where if one device is using digital certificates, then both sides need to use digital certificates. When both peers have successfully achieved this, then they have successfully identified themselves to each other. In phase 1, Main mode is used and three 2 way exchanges between the initiator and receiver of the tunnel are achieved. Main mode provides identity protection by authenticating peer identities when pre shared keys are used, and is typically used for site-to-site tunnels. The IKE SA’s are used to protect the security negotiations.

You should use Main mode when the VPN peers are using static IP addresses. If one or the other VPN peer does not use an IP address as the identifier of that peer then Main mode can only be used if certificates are used.

Further Reading

Wikipedia's guide to Internet Key Exchange