Unanswered Question
Jun 4th, 2009

i get confused about the IPSec IKE when preparing ISCW test.

According to Cisco textbook,

IKE phase 1 will negociate encryption method, like 3DES or DES, but IKE phase 2 will also negociate encryption again, you can choose esp_3des or esp_des, etc.

Why the encryption can be defined twice?

Even not clear why we split the IKE into 2 phases, while they just negociate with the other end about the security parameters?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 06/04/2009 - 10:24


IKE Phase 1 and IKE Phase 2 are doing 2 separate things.

Phase 2 is concerned with setting up tunnels for the exchange of the actual data. The encryption algorithm as well as the hash eg. md5/sha are used to actually encrypt the data that is sent between peers. But to be able to do this the 2 peers need to have exchanged a key to use to encrypt and decrypt the actual data.

Problem is how do you securely exchange the key that IKE Phase 2 needs to encrypt/decrypt the data. You can't just send it in clear text as this key provides the security for the data.

So you need to setup a secure connection between the 2 VPN peers so that you can send the key needed by Phase 2 but keep that exchange secure. This is what IKE Phase 1 does. It setups a secure connection to then exchange a key to be used for Phase 2.

So you can use a different encryption and hash algorithm as the 2 phases are separate. It's common to use the same for both phases but you don't have to.



This Discussion