Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2498
Views
0
Helpful
3
Replies

Help: Understanding IKE Phases

jpl861
Level 4
Level 4

‎09-04-2007 02:21 PM

Hi,

I know how to configure site-to-site VPN tunnel but I just want to know what really happens during Phase 1 and 2. This can really help during troubleshooting.

I understand that IKE phase 1 is used to establish IKE SAs. But I'm a little confused with the purpose of the Encryption and Hash functions when defining an ISAKMP Policy. Is this the encryption and hash that will be used during negotiation? Is the preshared key transmitted during Phase 1 or 2? What does really happen during Phase 1 or 2? Can someone help me understand this in detail? Thank you very much.

Regards,

John

Labels:
0 Helpful
3 Replies 3

m.volodko
Level 1
Level 1

‎09-05-2007 08:56 AM

Hello.

Some time ago i was interested in similar questions. To be completely honest I cannot say that i understand all nuance but i'm trying.

Well 5 phases IPSec

IPSec phase 1:

On this step router looking for interesting traffic going through. Uses for this crypto acl.

IPSec phase 2 (IKE Phase 1):

a) Encryption and Hash functions for IKE using only to create first SA that used for protect IKE process itself.

b) Preshared key do not transmited, IPSec uses DH algorithm that can guaranty that on both sides of tunnel will be used the same key.

c) Creates tunnel for second IKE phase

IPSec phase 3 (IKE Phase 2):

a) Main goal for this phase establish tunnel that will be used for normal operation.

IPSec phase 4:

Just encrypt/decrypt operations. i.e. working )

IPSec phase 5:

Closing IPSec tunnel, can be performed by request (clear ipsec sa) or by timeout

If anybody find some errors in my opinion or can add something, please do not be hesitated, you are welcome :)

0 Helpful

jpl861
Level 4
Level 4
In response to m.volodko

‎09-05-2007 09:28 AM

Thank you very much for your reply. :) I'm also looking for a step by step description of IKE Phase 1 and 2. Meaning what are being transmitted during Phase 1 and what are being transmitted during Phase 2. I also would like to understand the encryption and hash functions in the ISAKMP Policy. Thank you very much.

0 Helpful

srue
Level 7
Level 7
In response to jpl861

‎09-05-2007 11:06 AM

5 phases? you're going to confuse this poor person.

In ipsec speak, phase 1 is used to establish IKE SA's (security associations).

Phase 2 is used to establish ipsec sa's.

here are five STEPS:

1. "Interesting traffic" initiates the IPSec process. Traffic is deemed interesting when the IPSec security policy configured in the IPSec peers starts the IKE process.

2. IKE phase 1. IKE authenticates IPSec peers and negotiates IKE SAs during this phase, setting up a secure channel for negotiating IPSec SAs in phase 2.

3. IKE phase 2. IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers.

4. Data transfer. Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database.

5. IPSec tunnel termination. IPSec SAs terminate through deletion or by timing out.

--------------

it's very important when you talk to other techies that you use the correct terminology, otherwise they won't know what you're talking about.

as far as how this can help in troubleshooting, if you know what phase an ipsec connection gets stuck at or is having problems, this can help you troubleshoot.

http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7

0 Helpful
Customers Also Viewed These Support Documents