1902 CHAPTER 101: IKE CONFIGURATIONDHThe Diffie-Hellman (DH) algorithm is a public key algorithm. With this algorithm,two peers can exchange some data and then use the data to calculate the sharedkeys, rather than transmitting the keys directly. Due to the decryption complexity,a third party cannot decrypt the keys even after intercepting all the exchangeddata.PFSThe perfect forward secrecy (PFS) feature is a security feature based on the DHalgorithm. It guarantees that decryption of a key makes no impact on the securityof other keys, because the keys have no derivative relations. For IPSec, PFS isimplemented by adding an additional key exchange at IKE negotiation phase 2.Operation of IKE IKE negotiates keys and establishes SAs for IPSec in two phases:1 Phase 1: The two peers establish an ISAKMP SA (a secure, authenticated channelfor communication). In this phase, two modes are available: main mode andaggressive mode.2 Phase 2: Using the ISAKMP SA established in phase 1, the two peers negotiate toestablish IPSec SAs.Figure 553 IKE exchange processAs shown in Figure 553, the main mode of IKE negotiation in phase 1 involvesthree pairs of messages:■ SA exchange, used for negotiating the security policy.■ Key exchange, used for exchanging the Diffie-Hellman public vale and othervalues like the random data. Key data is generated in this stage.■ ID information and authentication data exchange, used for identityauthentication and the whole SA exchange.The main difference between main mode and aggressive mode is that theaggressive mode does not provide identity protection and only exchanges theAlgorithmConfirmationSend localIKE policy Find amatching policyReceivepolicyGenerate keyGenerate keyauthenticate identity andexchange processPeer 1 Peer2KeyGenerationSAExchangeKeyExchangeID Exchange/AuthenticationIdentityAuthenticationInitiator's policyconfirmed policyInitiator's key informationKey informationInitiator's identity and authenticationdataReceive authentication dataauthenticate identity andexchange process