VPN Basic question

Answered Question
Feb 20th, 2007

Hi,

I have a very basic question regarding the IPSec and IKE in the VPN. I would appreciate that instead of giving me links if you could describe me in a very simple manner.

I understand that IKE provides a secure channel to negotiate with the peers and creates a SA based on the policies that are decided by the peers.

Can you please tell me how does the Phase 1 SA differ from the Phase 2 SA.

Thanks for the help

Jason

I have this problem too.
0 votes
Correct Answer by Kamal Malhotra about 9 years 7 months ago

Hi Jason,

You got the answer from Kanishka. :-)

Talking of the phase 2 lifetime, even if it is not the same on both the ends, the tunnel might come up but we expect problems at the time of tunnel renegotiation.

HTH,

Please do rate if it helps.

Regards,

Kamal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Kamal Malhotra Tue, 02/20/2007 - 08:17

Hi Jason,

Basically, the phase 1 SA is for securing the pre-shared key and phase 2 policies negotiations. First the phase 1 policies are negotiated and the channel is made secure based on the phase 1 policies like encryption and hash algorithms. The phase 1 negotiation in a Site-Site scenario happnes in Main mode. In main mode a total of six packets are exchanged, 3 from each end. These packets contain different phase 1 policies like encryption algorithm, hash algorithm, diffie hellman key size, lifetime and whether nat-t is being used or not. Once these packets have been exchanged, the channel is secure using the phase 1 encryption policy. Aftre this the pre-shared key is exchanged and the phase 1 comes up. Now the phase policies are supposed to be negotiated. This negotiation happens in a secure manner using the phase channel provided by the phase 1. Once the phase 2 policies have been negotiated, the channel is made secure using the phase 2 encryption policy. All the data flowing across then is encrypted using the phase 2 policy. Please be informed that the phase 1 and phase 2 policies can be different. Its just that those have to be same on either end.

HTH,

Please let me know if you need further information.

Please do rate if it helps.

Regards,

Kamal

jasonbailey80 Tue, 02/20/2007 - 08:34

Hi Kamal,

Thanks a lot Kamal!!! Just one question.. this was the one I was after and the reason that i have raised this question on the forum..

What are the phase 2 policies? Is it the Transform-set?

Thanks

Jason

kaachary Tue, 02/20/2007 - 08:39

Hi Jason,

Phase 2 policies include...

The transform set

PFS (Perfect Forward Secrecy)

The crypto ACL and

Phase 2 Lifetime

The first three should necessarily match on both the ends for tunnel to establish.

HTH,

-Kanishka

Correct Answer
Kamal Malhotra Tue, 02/20/2007 - 08:44

Hi Jason,

You got the answer from Kanishka. :-)

Talking of the phase 2 lifetime, even if it is not the same on both the ends, the tunnel might come up but we expect problems at the time of tunnel renegotiation.

HTH,

Please do rate if it helps.

Regards,

Kamal

Actions

This Discussion