Help: Understanding IKE Phases

Unanswered Question
Sep 4th, 2007


I know how to configure site-to-site VPN tunnel but I just want to know what really happens during Phase 1 and 2. This can really help during troubleshooting.

I understand that IKE phase 1 is used to establish IKE SAs. But I'm a little confused with the purpose of the Encryption and Hash functions when defining an ISAKMP Policy. Is this the encryption and hash that will be used during negotiation? Is the preshared key transmitted during Phase 1 or 2? What does really happen during Phase 1 or 2? Can someone help me understand this in detail? Thank you very much.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
m.volodko Wed, 09/05/2007 - 08:56


Some time ago i was interested in similar questions. To be completely honest I cannot say that i understand all nuance but i'm trying.

Well 5 phases IPSec

IPSec phase 1:

On this step router looking for interesting traffic going through. Uses for this crypto acl.

IPSec phase 2 (IKE Phase 1):

a) Encryption and Hash functions for IKE using only to create first SA that used for protect IKE process itself.

b) Preshared key do not transmited, IPSec uses DH algorithm that can guaranty that on both sides of tunnel will be used the same key.

c) Creates tunnel for second IKE phase

IPSec phase 3 (IKE Phase 2):

a) Main goal for this phase establish tunnel that will be used for normal operation.

IPSec phase 4:

Just encrypt/decrypt operations. i.e. working )

IPSec phase 5:

Closing IPSec tunnel, can be performed by request (clear ipsec sa) or by timeout

If anybody find some errors in my opinion or can add something, please do not be hesitated, you are welcome :)

John Patrick Lopez Wed, 09/05/2007 - 09:28

Thank you very much for your reply. :) I'm also looking for a step by step description of IKE Phase 1 and 2. Meaning what are being transmitted during Phase 1 and what are being transmitted during Phase 2. I also would like to understand the encryption and hash functions in the ISAKMP Policy. Thank you very much.

srue Wed, 09/05/2007 - 11:06

5 phases? you're going to confuse this poor person.

In ipsec speak, phase 1 is used to establish IKE SA's (security associations).

Phase 2 is used to establish ipsec sa's.

here are five STEPS:

1. "Interesting traffic" initiates the IPSec process. Traffic is deemed interesting when the IPSec security policy configured in the IPSec peers starts the IKE process.

2. IKE phase 1. IKE authenticates IPSec peers and negotiates IKE SAs during this phase, setting up a secure channel for negotiating IPSec SAs in phase 2.

3. IKE phase 2. IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers.

4. Data transfer. Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database.

5. IPSec tunnel termination. IPSec SAs terminate through deletion or by timing out.


it's very important when you talk to other techies that you use the correct terminology, otherwise they won't know what you're talking about.

as far as how this can help in troubleshooting, if you know what phase an ipsec connection gets stuck at or is having problems, this can help you troubleshoot.


This Discussion