Quick mode
In Quick mode, each message contains an encrypted hash. This hash authenticates the source of the message (for example, verifies that it is bound to an ISAKMP SA), authenticates the integrity of the message, and proves liveliness. In message 1, the initiator sends a list of acceptable proposals to the responder. Each proposal defines an acceptable combination of attributes for the non-ISAKMP SA that is being negotiated (AH or ESP SA). The responder picks a proposal that is acceptable and returns the choice to the initiator in message 2.
- Protocol (AH, ESP, or both AH and ESP)
- Authentication algorithm (for example, Hmac-Md5 or Hmac-Sha)
- Encapsulation mode (tunnel or transport)
- Encryption algorithm (for example, DES, 3DES or AES)
- Diffie-Hellman group information (for example, group 1, group 2, group 5 or group 14)
- Life time and life size of the IPSec SA
Quick mode enables an optional Diffie-Hellman exchange to occur. When the Diffie-Hellman exchange is to take place, the initiator includes a Diffie-Hellman public value (for example, g**x mod n) in message 1, and the responder includes a Diffie-Hellman public value (for example, g**y mod n) in message 2. The key generated from this Diffie-Hellman exchange is used in the calculation that generates the keying material for the non-ISAKMP SA. The Diffie-Hellman exchange provides perfect forward secrecy (PFS).