Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

isakmp phases? list?

could someone list for me what occurs at each phase of isakmp and ipsec? ex. phase 1, phase 2. just curios. read something about it before. thanks!

New Member

Re: isakmp phases? list?


As you are aware VPN connections goes on in 2 phases. Phase-1 for ISAKMP negotiations and Phase-2 IPSec negotiations. Phase-1 can go in either Main-mode and aggressive mode. The main difference b/n the two is that aggressive mode combines many messages into one and thereby reduces the time to create a VPN tunnel. IKE Phase-1 has only one mode, namely, Quick mode, which occurs after IKE has established the secure tunnel in Phase-1.



Basic purpose is to authenticate the IPSec peers and to set up a secure channel between the peers to enable IKE exchanges. Performs the following.

1. Negotiates a matching IKE SA polocy between peers.

2. Performs an authenticated DH key exchange.

3. Authenticates and protects the identities.

4. Set up a secure tunnel to negotiate IKE Phase-2 parameters.



Basic purpose is to negotiate IPSec SAs to set up the IPSec tunnel. Phase-2 performs the following functions.

1. Negotiates IPSec SA parameters protected by an existing IKE SA

2. Establishes IPSec SAs

3. Periodically renegotiates IPSec SAs to ensure security.

4. Optionally performs an additional DH exchange.

If you have any particular issue, get back to me.

Have a nice day !


New Member

Re: isakmp phases? list?

thanks Naveen, that was a great explaination. Are there more then two phases? Also do you know of any good articles around that would explain what SAs are and any other thing I should probably know? Again thanks, that helped my curiosity :) Unfortunatly the more I learn the more I want to know. HAHA!

CreatePlease login to create content