Quick Mode - Setup IPSec Tunnel
Configure IPSec Tunnel
For a successful and secure communication using IPSec, the IKE (Internet Key Exchange) protocols takes part in a two step negotiation. Main mode or Aggressive mode (Phase 1) authenticates and/or encrypts the peers. Quick mode (Phase 2) negotiates the algorithms and agree on which traffic will be sent across the VPN. Below I discuss Quick mode (Phase 2).
In phase 2 of a VPN IKE negotiation Quick mode is used. This is also known as phase 2 SA or IPSec SA. Negotiations in phase 2 are protected by the encryption and authentication which was set up in phase 1. In Quick mode 3 messages are exchanged between the peers, in which the IPSec SA’s are negotiated to establish a secure channel between two peers. Keying material is refreshed or new keys are generated if this option is specified, and a protection suite is selected, which would protect specific IP traffic.
In phase 2 you would specify which traffic will travel across the VPN. IP addresses behind both VPN devices would be specified in order to send traffic, in which both gateways would inform each other via phase 2 ID’s. You could specify an individual IP address, a network IP address or a network range.
All Quick mode negotiations are protected from when the IKE SA was established when Main mode during phase 1 was completed. In Quick mode parameters are negotiated and agreed between the peers such as to use Transport or Tunnel mode, ESP or AH, encryption type and hash functions. These parameters would then be used to secure data traveling across the VPN tunnel.
Further Reading
Wikipedia's guide to Internet Key Exchange