主模式和主动模式（野蛮）区别

最新推荐文章于 2023-05-01 00:51:09 发布

weixin_33941350

最新推荐文章于 2023-05-01 00:51:09 发布

阅读量950

点赞数

原文链接：http://blog.51cto.com/genisystem/348304

版权

主模式和主动模式（野蛮）区别

他们都是就×××得第一阶段IKE的协商而言。主模式中双方三层交换信息，总共六个包。简单说下1、2个包协商加密和认证算法。3、4个包DH交换。5、6个包提供身份和密钥的验证。主动模式（即你说的野蛮模式）双方进行两次交换，总共三个包。1个包发起方建议SA，发起DH交换。2包接收方接受SA。3个包发起方认证接受方。这是IKE协商方面的一些差别，另外，在主动模式中数据包是在明文中进行交换的，不提供身份保护，而主模式则不然。

Main Modes

In main mode, the initiator and recipient send three two-way exchanges (six messages total) to accomplish the following services:

First exchange (messages 1 and 2—Propose and accept the encryption and authentication algorithms.
Second exchange (messages 3 and 4—Execute a Diffie-Hellman exchange, and the initiator and recipient each provide a pseudo-random number.
Third exchange (messages 5 and 6)—Send and verify their identities.

The information transmitted in the third exchange of messages is protected by the encryption algorithm established in the first two exchanges. Thus, the participants' identities are not transmitted in the clear.

Aggressive Mode

In aggressive mode, the initiator and recipient accomplish the same objectives, but in only two exchanges, with a total of three messages:

First message—The initiator proposes the SA, initiates a Diffie-Hellman exchange, and sends a pseudo-random number and its IKE identity.
Second message—The recipient accepts the SA; authenticates the initiator; and sends a pseudo-random number, its IKE identity, and, if using certificates, the recipient's certificate.
Third message—The initiator authenticates the recipient, confirms the exchange, and, if using certificates, sends the initiator's certificate.

各个厂商配置举例

cisco

在7.x中的命令

crypto isakmp am-disable (main mode)

no cryto isakmp am-disable (aggressive mode)

juniper

set ike gateway "test" address 124.192.56.102 Main outgoing-interface "ethernet0/0" preshare "s1UVU3uhNIgPaRs45WCF9ei1k0nbGqzsRw==" sec-level standard

hillstone

SA-5040(config)# isakmp peer to-B //创建ISAKMP网关

SA-5040(config-isakmp-peer)# interface ethernet0/0 //指定出接口

SA-5040(config-isakmp-peer)# isakmp-proposal p1 //指定安全提议

SA-5040(config-isakmp-peer)# pre-share hillstone //设置预共享密钥

SA-5040(config-isakmp-peer)# mode aggressive //指定IKE协商模式为野蛮

SA-5040(config-isakmp-peer)# peer 200.1.1.2 //指定对端的地址

转载于:https://blog.51cto.com/genisystem/348304

weixin_33941350

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
主模式和主动模式（野蛮）区别

主模式和主动模式（野蛮）区别他们都是就×××得第一阶段IKE的协商而言。主模式中双方三层交换信息，总共六个包。简单说下1、2个包协商加密和认证算法。3、4个包DH交换。5、6个包提供身份和密钥的验证。主动模式（即你说的野蛮模式）双方进行两次交换，总共三个包。1个包发起方建议SA，发起DH交换。2包接收方接受SA。3个包发起方认证接受方。这是IKE协商方面的一些差别，另外，...
复制链接

扫一扫