02-20-2007 02:13 AM - edited 02-21-2020 02:52 PM
Hi,
I have a very basic question regarding the IPSec and IKE in the VPN. I would appreciate that instead of giving me links if you could describe me in a very simple manner.
I understand that IKE provides a secure channel to negotiate with the peers and creates a SA based on the policies that are decided by the peers.
Can you please tell me how does the Phase 1 SA differ from the Phase 2 SA.
Thanks for the help
Jason
Solved! Go to Solution.
02-20-2007 08:44 AM
Hi Jason,
You got the answer from Kanishka. :-)
Talking of the phase 2 lifetime, even if it is not the same on both the ends, the tunnel might come up but we expect problems at the time of tunnel renegotiation.
HTH,
Please do rate if it helps.
Regards,
Kamal
02-20-2007 08:17 AM
Hi Jason,
Basically, the phase 1 SA is for securing the pre-shared key and phase 2 policies negotiations. First the phase 1 policies are negotiated and the channel is made secure based on the phase 1 policies like encryption and hash algorithms. The phase 1 negotiation in a Site-Site scenario happnes in Main mode. In main mode a total of six packets are exchanged, 3 from each end. These packets contain different phase 1 policies like encryption algorithm, hash algorithm, diffie hellman key size, lifetime and whether nat-t is being used or not. Once these packets have been exchanged, the channel is secure using the phase 1 encryption policy. Aftre this the pre-shared key is exchanged and the phase 1 comes up. Now the phase policies are supposed to be negotiated. This negotiation happens in a secure manner using the phase channel provided by the phase 1. Once the phase 2 policies have been negotiated, the channel is made secure using the phase 2 encryption policy. All the data flowing across then is encrypted using the phase 2 policy. Please be informed that the phase 1 and phase 2 policies can be different. Its just that those have to be same on either end.
HTH,
Please let me know if you need further information.
Please do rate if it helps.
Regards,
Kamal
02-20-2007 08:34 AM
Hi Kamal,
Thanks a lot Kamal!!! Just one question.. this was the one I was after and the reason that i have raised this question on the forum..
What are the phase 2 policies? Is it the Transform-set?
Thanks
Jason
02-20-2007 08:39 AM
Hi Jason,
Phase 2 policies include...
The transform set
PFS (Perfect Forward Secrecy)
The crypto ACL and
Phase 2 Lifetime
The first three should necessarily match on both the ends for tunnel to establish.
HTH,
-Kanishka
02-20-2007 08:44 AM
Hi Jason,
You got the answer from Kanishka. :-)
Talking of the phase 2 lifetime, even if it is not the same on both the ends, the tunnel might come up but we expect problems at the time of tunnel renegotiation.
HTH,
Please do rate if it helps.
Regards,
Kamal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide