IPSec IKE

intercsbarry · ‎06-04-2009

i get confused about the IPSec IKE when preparing ISCW test.

According to Cisco textbook,

IKE phase 1 will negociate encryption method, like 3DES or DES, but IKE phase 2 will also negociate encryption again, you can choose esp_3des or esp_des, etc.

Why the encryption can be defined twice?

Even not clear why we split the IKE into 2 phases, while they just negociate with the other end about the security parameters?

Jon Marshall · ‎06-04-2009

Barry

IKE Phase 1 and IKE Phase 2 are doing 2 separate things.

Phase 2 is concerned with setting up tunnels for the exchange of the actual data. The encryption algorithm as well as the hash eg. md5/sha are used to actually encrypt the data that is sent between peers. But to be able to do this the 2 peers need to have exchanged a key to use to encrypt and decrypt the actual data.

Problem is how do you securely exchange the key that IKE Phase 2 needs to encrypt/decrypt the data. You can't just send it in clear text as this key provides the security for the data.

So you need to setup a secure connection between the 2 VPN peers so that you can send the key needed by Phase 2 but keep that exchange secure. This is what IKE Phase 1 does. It setups a secure connection to then exchange a key to be used for Phase 2.

So you can use a different encryption and hash algorithm as the 2 phases are separate. It's common to use the same for both phases but you don't have to.

Jon