Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IKE phase one detail problem

hi, when we configure the IKE phase one, many values needed to be configured like DES, MD5,Pre-shared keys and DH1. I just want to know how the values are used during the IKE phase one.

For examples, the pre-shared keys are used to authenticate each other, but where and how the DES, MD5 and DH1 are used?

Thanks

3 REPLIES
New Member

Re: IKE phase one detail problem

Hi,

Phase 1 can happen in 2 modes. Main mode or Aggressive mode. Main mode starts with an instantiation of the ISAKMP Identity protect exchange. There are 6 messages that are exchanged during this phase. The first 2 negotiate policy; the next 2 exchange DH public values and the last 2 authenticate the DH exchange. The last 2 exchanges are encrypted.

The best answer would be to look at RFC 2409 for IKE. It has everything you ever want.

Hope you got the answer.

Naveen

mnaveen@cisco.com

Silver

Re: IKE phase one detail problem

IKE really just negotiates those settings between the two hosts. Those settings are used for the IPSec tunnel DES is a bulk encryption algorithm , MD5 is the hashing algorithm for verification, authentication,etc, and DH1 is a key exchange mechanism

New Member

Re: IKE phase one detail problem

Hi,

I beg to differ in this case since to the best of my knowledge IKE also used authentication and encryption during Main mode. I had seen this while I have enabled debugging for ISAKMP process. Moreover the encryption used by IKE could be different from what the IPSec uses. IKE not only negotiates but also use those settings.

I went back to the RFC 2409 and found out that the last 2 messages in Main Mode are in fact **authenticated** by the authentication mechanism negotiated by the parties. I request people to look into the RFC for correct details.

Hope my understanding is correct. Let me know if I'm missing anything.

Cheers,

Naveen

mnaveen@cisco.com

98
Views
0
Helpful
3
Replies
CreatePlease to create content