Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member


iffrence between DH group  and des.

As from understanding DH uses two separate key to encrypt and decrypt the data.

Des use single key to encrypt the data

so during phase 1 in site to site vpn we use enccryption alogrithm say des and DH group also

so why both  encryption algorithm and DH group is used.please explain.

Other think what is the use of lifetime in phase 1 and phase 2.


Re: diffrences

DH: Its a key exchange method ( authentication purposes) used to provide as much security  as need it as it will use 2 different keys, one private and one public, the public being sent over the internet to the remote peer so they can authenticate each other.

Encryption Algorithm: Algorithm used to encrypt x traffic so no one else knows what that is! so this will say how strong the algoritmh method will be (Des,3des,Aes)

This migth help:


Each IPSec peer has three keys:

  • A private key that's kept secret and never shared. It's used to sign messages.
  • A public key that's shared. It's used by others to verify a signature.
  • A shared secret key that's used to encrypt data using an encryption algorithm (DES, MD5, and so on). The shared secret key is derived from Diffie-Hellman key generation.

lifetime: Determines the amount of time a VPN tunnel can be up or the amount of data that can traverse a VPN tunnel without this being re-generated.

So as an example if you set a lifetime for IKE1 of 35800 seconds. after 35800 that phase 1 needs to be re-stablished.

It is important to recall Prashant that this is the only set of the configuration ( Lifetime) that does not got to match on both ends. The lowest lifetime will  be the one used.

Hope I have been clear with this!


Looking for some Networking Assistance? Contact me directly at I will fix your problem ASAP. Cheers, Julio Carvajal Segura
New Member


Hi Julio

So what about pre-shared key it is main used to authenticate the peers ?