As you are aware VPN connections goes on in 2 phases. Phase-1 for ISAKMP negotiations and Phase-2 IPSec negotiations. Phase-1 can go in either Main-mode and aggressive mode. The main difference b/n the two is that aggressive mode combines many messages into one and thereby reduces the time to create a VPN tunnel. IKE Phase-1 has only one mode, namely, Quick mode, which occurs after IKE has established the secure tunnel in Phase-1.
Basic purpose is to authenticate the IPSec peers and to set up a secure channel between the peers to enable IKE exchanges. Performs the following.
1. Negotiates a matching IKE SA polocy between peers.
2. Performs an authenticated DH key exchange.
3. Authenticates and protects the identities.
4. Set up a secure tunnel to negotiate IKE Phase-2 parameters.
Basic purpose is to negotiate IPSec SAs to set up the IPSec tunnel. Phase-2 performs the following functions.
1. Negotiates IPSec SA parameters protected by an existing IKE SA
2. Establishes IPSec SAs
3. Periodically renegotiates IPSec SAs to ensure security.
thanks Naveen, that was a great explaination. Are there more then two phases? Also do you know of any good articles around that would explain what SAs are and any other thing I should probably know? Again thanks, that helped my curiosity :) Unfortunatly the more I learn the more I want to know. HAHA!
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...