For a successful and secure communication using IPsec, the IKE (Internet Key Exchange) protocol takes part in a two-step negotiation. The first step is to use Main mode or Aggressive mode (Phase 1) that authenticates and/or encrypts the peers. In the second step, Quick mode (Phase 2) negotiates the algorithms and agrees on which traffic will be sent across the VPN. Below we will take a look at Main mode (Phase 1).
Security association is achieved in two ways, using Main mode or Aggressive mode. The purpose for Main mode or phase 1 is to setup a secure channel in which Quick mode or phase 2 can be negotiated in. Both devices in negotiation exchange credentials with each other in which they would have to match in order to successfully authorise to be able to establish a VPN connection. This is achieved by both peers exchanging the identical pre-shared keys or by using digital certificates. However both devices have to use one form of identification or the other. So if one device is using a pre-shared key to prove its identity, then the other device must also use an identical pre-shared key, and same goes for digital certificates, where if one device is using digital certificates, then both sides need to use digital certificates. When both peers have successfully achieved this, then they have successfully identified themselves to each other. In phase 1, Main mode is used and three 2 way exchanges between the initiator and receiver of the tunnel are achieved. Main mode provides identity protection by authenticating peer identities when pre shared keys are used, and is typically used for site-to-site tunnels. The IKE SA’s are used to protect the security negotiations.
You should use Main mode when the VPN peers are using static IP addresses. If one or the other VPN peer does not use an IP address as the identifier of that peer then Main mode can only be used if certificates are used.
FAQs
Main Mode - Used when VPN Sites have permanent/Static public IP address. Aggressive Mode - Used when One Site has permanent/static public IP and the other site has a dynamic/temporary public IP address. Hub and Spoke - Setting up VPNs when two or more remote sites (Spokes) want to connect to central site (Hub).
What is the main mode in IPsec? ›
Main mode uses six messages, while aggressive mode uses only three. Main mode also protects the identity of the endpoints by encrypting their information, while aggressive mode sends it in clear text. Therefore, main mode is more secure but slower than aggressive mode.
What are the two modes of IPsec VPN? ›
IPSec operates in two modes: Transport mode and Tunnel mode. You use transport mode for host-to-host communications. In transport mode, the data portion of the IP packet is encrypted, but the IP header is not. The security header is placed between the IP header and the IP payload.
What is the difference between IPsec and Site-to-Site VPN? ›
IPsec VPN securely interconnects entire networks (site-to-site VPN) OR remote users with a particular protected area such as a local network, application, or the cloud. SSL VPN creates a secure tunnel from the host's web browser to a particular application.
What VPN mode should I use? ›
Experience VPN protocols in action
The most important thing is to pick one that best suits your needs. We recommend using WireGuard or IKEv2 for general use and OpenVPN if you need to set up a VPN on your router.
When would you use a site-to-site VPN? ›
Site-to-site VPNs are useful for companies that prioritize private, protected traffic and are particularly helpful for organizations with more than one office spread out over large geographical locations.
What are the two modes of IPsec? ›
The IPsec standards define two distinct modes of IPsec operation, transport mode and tunnel mode. The modes do not affect the encoding of packets. The packets are protected by AH, ESP, or both in each mode.
Does IKEv2 use main mode? ›
With main mode, the phase 1 and phase 2 negotiations are in two separate phases. Phase 1 main mode uses six messages to complete; phase 2 in quick mode uses three messages. IKEv2 combines these modes into a four message sequence.
What is the difference between IPsec main mode and IPsec aggressive mode? ›
Differences between the two ipsec modes:
The main mode requires six messages to be exchanged, while the aggressive mode requires only three messages to be exchanged. 2. The main mode negotiation is more rigorous and secure than the aggressive mode negotiation.
What are the 3 main protocols that IPSec uses? ›
Some IPSec protocols are given below.
- Authentication header (AH)
- Encapsulating security payload (ESP)
- Internet key exchange (IKE)
When to Use IPsec Tunnel Mode. Tunnel mode is most commonly used for configurations that need a secure connection between two different networks, separated by an intermediate untrusted network (like the Internet). Typical tunnel mode use cases are gateway-to-gateway, server-to-gateway, and server-to-server.
What is an example of a site-to-site VPN? ›
For example, a site-to-site VPN would allow a company's headquarters in Lake Forest, IL to connect to a smaller branch in Los Angeles, CA. Due to the rise of remote work and eLearning, businesses take advantage of this tech to share information securely.
How to set up IPSec site-to-site VPN? ›
How to Set Up an IPsec VPN Client
- Right-click on the wireless/network icon in your system tray.
- Select Open Network and Sharing Center. ...
- Click Set up a new connection or network.
- Select Connect to a workplace and click Next.
- Click Use my Internet connection (VPN).
- Enter Your VPN Server IP in the Internet address field.
Neither is better inherently. The choice depends on user requirements. SSL VPNs are generally more user friendly and easier to use, providing secure access without requiring client software. IPSec VPNs are often preferred for their ability to secure all network traffic at the IP layer.
What is the primary function of site-to-site VPN? ›
A site-to-site VPN provides access from one network to another over the internet. It works by creating a secure, encrypted tunnel between two networks located at different sites. The tunnel acts as a direct link through which data can be securely transmitted.
What is the best connection mode for VPN? ›
What Each VPN Protocol Is Best For
- OpenVPN is a good general-purpose protocol for ensuring your privacy. ...
- WireGuard is both fast and secure. ...
- IKEv2/IPSec's ability to connect quickly makes it great for mobile phones using cellular data.
- L2TP/IPSec is best for manual VPN configuration since it's easy to set up.
- Click Network in the top navigation menu.
- Navigate to IPsec VPN | Rules and Settings,click Add. ...
- Click General tab. ...
- Click Network Tab. ...
- Click the Proposals Tab.
- Under IKE (Phase 1) Proposal, select Main Mode from the Exchange menu.
VPN stands for "Virtual Private Network" and describes the opportunity to establish a protected network connection when using public networks. VPNs encrypt your internet traffic and disguise your online identity. This makes it more difficult for third parties to track your activities online and steal data.
