Sign in
Version 5.13.0, 2015-03-25
Report a bug

A Hybrid Authentication Mode for IKE

Document type: Expired Internet-Draft (ipsec WG)
Document stream: IETF
Last updated: 2000-08-10
Intended RFC status: Unknown
Other versions: (expired, archived): plain text, pdf, html

IETF State: WG Document
Document shepherd: No shepherd assigned

IESG State: Expired
Responsible AD: (None)
Send notices to: No addresses provided

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found here:


This document describes a set of new authentication methods to be used within Phase 1 of the Internet Key Exchange (IKE). The proposed methods assume an asymmetry between the authenticating entities. One entity, typically an Edge Device (e.g. firewall), authenticates using standard public key techniques (in signature mode), while the other entity, typically a remote User, authenticates using challenge response techniques. These authentication methods are used to establish, at the end of Phase 1, an IKE SA which is unidirectionally authenticated. To make this IKE bi-directionally authenticated, this Phase 1 is immediately followed by an X-Auth Exchange [XAUTH]. The X-Auth Exchange is used to authenticate the remote User. The use of these authentication methods is referred to as Hybrid Authentication mode. This proposal is designed to provide a solution for environments where a legacy authentication system exists, yet a full public key infrastructure is not deployed.


Moshe Litvin <>
Roy Shamir <>
Tamir Zegman <>

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid)