This document explains how the encryption algorithm and encryption key are used to build an IPsec tunnel.
Following options are available for Phase 1 and Phase 2 configuration:
Authentication <pre-share, rsa-encr, rsa-sig >
Encryption <3des, aes, des>
DH group < Diffie-Hellman group 1/2/5>
Hash <md5, sha>
ESP (with des/3des/aes and/or md5/sha )
AH ( with sha/md5)
*Note: Encryption Algorithm and Hash algorithm need a key in order to encrypt and hash the data respectively. Symmetric key will be used as that key.
For this scenario we assume the following are configured:
Router A (22.214.171.124) <-----------IPSec Tunnel-----------------> Router B (126.96.36.199)
Phase 1: Phase 1:
Authentication pre-share Authentication pre-share
encryption 3DES Encryption 3DES
DH group 5 DH group 5
Hash MD5 Hash MD5
Peer IP 188.8.131.52 Peer IP 184.108.40.206
Shared secret 123ABCD Shared secret 123ABCD
Phase 2: Phase 2:
Protocol ESP Protocol ESP
Encryption AES Encryption AES
Hashing SHA Hashing SHA
When interesting traffic is generated on Router A (220.127.116.11), it initiates the phase 1 exchange with Router B (18.104.22.168):
Step 1 (Un-encrypted):
Encryption Algorithm <3DES >, Hash algorithm <MD5>, DH group <group 5> and authentication method <pre-share> are agreed upon with the peer IP <22.214.171.124>
Step 2 (Un-encrypted):
DH algorithm calculates a private key and public key on both the routers. Each router exchanges its public key with the peer. Now each peer calculates a symmetric key <KEY-A> using its own private key and peers public key.
Step 3 (Encrypted (3DES), Hashed (MD5), symmetric key <KEY-A>):
Encryption Algorithm <3DES > and Hash algorithm <MD5> use the symmetric key <KEY-A> created in step 2 to encrypt and hash the data transmitted, the data during this exchange is the shared secret <123ABCD > to authenticate the peer <126.96.36.199>.
Step 4 (Encrypted (3DES), Hashed (MD5), symmetric key <KEY-A>):
Here the protocol (ESP) and encryption (AES) and hashing (SHA) algorithm is agreed upon as configured for phase 2. In addition, additional keying material is exchanged. These data exchanged is encrypted and hashed in same way as in step 3. i.e. Encryption Algorithm <AES> and Hash algorithm <MD5> use the symmetric key <KEY-A>.
Step 5 (Encrypted (AES), Hashed (SHA), symmetric key <KEY-B>):
Additional Key material exchanged in step 4 is combined with symmetric key <KEY-A> generated in step 2 to produce a new symmetric key <KEY-B>. From now on, all the data will be encrypted with encryption (AES) and hashing (SHA) algorithm using the symmetric key <KEY-B> and the protocol ESP.