When I first came into contact with IPSec, I was wondering why I had to negotiate for two phases? Negotiate an Ike SA first, and then negotiate an IPSec SA Based on the ike sa. Isn't it good to negotiate IPSec SA in one step? However, in practice, it is not so efficient to negotiate IPSec SA directly. For example, a company A has a subsidiary B. To facilitate its employees to access the internal data of Company A, the company B deploys a VPN on both sides of the security net and uses ipsec for data encryption. If both parties use IKEv1 and there is only one phase of negotiation to negotiate the IPSec SA, each negotiation may require six main mode messages and three quick
Mode message. This will produce a large number of negotiation messages, reducing the network utilization. If two-phase negotiation is adopted, you only need to negotiate an Ike SA between gateways, and then use this SA to negotiate the IPSec SA for the application data stream, each IPSec SA only needs one quick mode. Therefore, the advantage of the two phases is that Ike SA can be used as the carrier for IPSec SA negotiation through the first phase negotiation, thus reducing the IPSec SA negotiation overhead.
So what is the difference between ike sa and IPSec SA? In terms of definition, Ike SA is responsible for the establishment and maintenance of IPSec SA, which plays a control role. IPSec SA is responsible for specific data stream encryption. For example, an HTTP request may eventually use the ESP protocol defined by IPSec SA and the related ESP encryption algorithm.
The contents of Ike SA and IPSec SA negotiation are also different, as shown below:
1. Ike SA negotiation content of IKEv1
Reference: http://www.iana.org/assignments/ipsec-registry
A. Encryption Algorithm
B. Hash Algorithm
C. authentication methods-such as certificate authentication and pre-shared key
D. PRF algorithm-used to generate encryption/decryption keys
E. DH algorithms and Parameters
F. Key Length-some algorithms, such as the key length of the AES-CBC is variable, you can negotiate the key length through attribute
G. Sa survival time
2. Ike SA negotiation content of IKEv2
Reference: http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xml
A. Encryption Algorithm
B. PRF Algorithm
C. Integrity Algorithm
D. DH Algorithm
E. ESN-extended sequence numbers
3. IPSec SA negotiation content
Reference: http://www.iana.org/assignments/isakmp-registry
A. ESP encryption algorithm or Ah integrity Algorithm
B. encryption mode
C. Authentication Algorithm
D. Sa survival time
E. Compression Algorithm
F. DH algorithm and Parameters
G. encryption key length
H. Authentication Key Length
Some of the above content is optional, and not all parameters must be negotiated. The above three links detail the parameters used by IANA for SA negotiation in each stage, such as algorithm numbers.