IPSEC and IKE lifetime questions

Unanswered Question
Jul 20th, 2007
User Badges:

I have a few questions about this:


Is IKE the same as ISAKMP?


Since the ISAKMP is phase 1, this lifetime means the tunnel is going to drop out after whatever the lifetime is set to?


The IPSEc lifetime is the amount of time the encryption algoryhtm goes before rekeying?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Sat, 07/21/2007 - 04:42
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Wilson


IKE is not quite the same as ISAKMP. ISAKMP is one element within IKE but there are others. Think of IKE as a kind of meta protocol which comprises of


1) ISAKMP - for defining the message format for the IPSEC exchanges between peers.

2) SKEME - which is used to authenticate both sides of the communication

3) OAKLEY - used for deriving the per session encryption key


The lifetimes are pretty much what you suggest. If the tunnel is still in use when the lifetime expires it shoudl renegotiate without dropping the tunnel.


HTH


Jon

wilson_1234_2 Sat, 07/21/2007 - 04:55
User Badges:

Thanks jon,


So,


1. All of IKE is phase 1?


2. All three of the components (isakmp, skeme and oakley) are ALWAYS is use during VPN communication?

Jon Marshall Sat, 07/21/2007 - 05:01
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Wilson


1) Yes and No. It's abit misleading because of the commands used sometimes on cisco kit but IKE has a phase 1 where it sets up a secure communication between the peers and then a phase 2 where it sets up the actual SA's to transfer the data. So IKE actually is involved in both phases.


2) Yes they are.


HTH


Jon

Actions

This Discussion