Home Page

VPN & Cryptography

Firewalls

Email & Spam

Security Terminology

 

VPN Terminology

VPN Tutorial Guide

3DES

AES

Aggressive Mode

Authentication Header

Asymmetric Encryption

Authentication

Certification Authority

Data Integrity

DES

Diffie-Hellman

Digital Certificate

Dynamic IP addresses

Encryption

ESP

IKE Oakley & ISAKMP

IPSec

IPSec Quick Mode

L2TP

Main Mode

MD5

NAT-T

PFS

PKI

Policy-vs-Route-VPN

PPTP

Pre-Shared Key

Remote Access User

RSA

Security Association

Sha-1

Site to Site VPN

SSL VPN

Transform Sets

Tunnel mode and Transport mode

VPN client tunneling option

VPN Topologies

VPN Tunnel

 

Quick Mode Option within an IPsec Tunnel

 

 

For a successful and secure communication using IPsec, the Internet Key Exchange (IKE) protocols take part in a two-step negotiation. Main mode or Aggressive mode (within Phase 1 negotiation) authenticate and/or encrypt the peers. Quick mode (Phase 2) negotiates the algorithms and agree on which traffic will be sent across the VPN. Let's take a further look at Quick mode phase (Phase 2) and what it's role is within an IPsec VPN tunnel.

In phase 2 of a VPN IKE negotiation, Quick mode is used. This is also known as phase 2 Security Association (SA) or IPsec SA.

Negotiations in phase 2 are protected by the encryption and authentication which was set up in phase 1, when the IKE SA was established when Main mode was completed during the phase 1 negotiations.

In Quick mode, 3 messages are exchanged between the peers, in which the IPsec SA’s are negotiated to establish a secure channel between two peers. Keying material is refreshed or new keys are generated (if the option has been configured), and a protection suite is selected, which would protect the IP traffic within the VPN tunnel.

In Quick mode, parameters are negotiated and agreed between the peers such as to use Transport or Tunnel mode, Encapsulated Security Payload (ESP) or Authentication Header (AH), encryption type and hash functions. These parameters would then be used to secure data traveling across the VPN tunnel. IP addresses behind both VPN devices would be specified in order to secure traffic using the VPN devices between the configured addresses, in which both gateways would inform each other via phase 2 ID’s. The IP addresses can be individual IP addresses, network subnet IP addresses or a network IP ranges.

 

Further Reading

Wikipedia's guide to Internet Key Exchange