Quick mode

A Quick mode exchange is comprised of three messages, as shown in Figure 1.

Figure 1. Quick mode exchange messages

In quick mode, the initiator server A exchanges three messages with responder server B. A sends one message to B including encrypted Hash, proposed SAs, Nonce, and optional information. A receives one message from B including encrypted Hash, SA accepted, Nonce, and optional information. The optional information can be key generation information, identity information, or both. A also sends the other message of encrypted Hash to B. All the messages must be encrypted.

In Quick mode, each message contains an encrypted hash. This hash authenticates the source of the message (for example, verifies that it is bound to an ISAKMP SA), authenticates the integrity of the message, and proves liveliness. In message 1, the initiator sends a list of acceptable proposals to the responder. Each proposal defines an acceptable combination of attributes for the non-ISAKMP SA that is being negotiated (AH or ESP SA). The responder picks a proposal that is acceptable and returns the choice to the initiator in message 2.

The attributes that can be negotiated in Quick mode include the following:

Protocol (AH, ESP, or both AH and ESP)
Authentication algorithm (for example, Hmac-Md5 or Hmac-Sha)
Encapsulation mode (tunnel or transport)
Encryption algorithm (for example, DES, 3DES or AES)
Diffie-Hellman group information (for example, group 1, group 2, group 5 or group 14)
Life time and life size of the IPSec SA

Quick mode enables an optional Diffie-Hellman exchange to occur. When the Diffie-Hellman exchange is to take place, the initiator includes a Diffie-Hellman public value (for example, g**x mod n) in message 1, and the responder includes a Diffie-Hellman public value (for example, g**y mod n) in message 2. The key generated from this Diffie-Hellman exchange is used in the calculation that generates the keying material for the non-ISAKMP SA. The Diffie-Hellman exchange provides perfect forward secrecy (PFS).