Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
0
Helpful
4
Replies

VPN Basic question

Go to solution
jasonbailey80
Level 1
Level 1

‎02-20-2007 02:13 AM - edited ‎02-21-2020 02:52 PM

Hi,

I have a very basic question regarding the IPSec and IKE in the VPN. I would appreciate that instead of giving me links if you could describe me in a very simple manner.

I understand that IKE provides a secure channel to negotiate with the peers and creates a SA based on the policies that are decided by the peers.

Can you please tell me how does the Phase 1 SA differ from the Phase 2 SA.

Thanks for the help

Jason

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kamal Malhotra
Cisco Employee
Cisco Employee
In response to kaachary

‎02-20-2007 08:44 AM

Hi Jason,

You got the answer from Kanishka. :-)

Talking of the phase 2 lifetime, even if it is not the same on both the ends, the tunnel might come up but we expect problems at the time of tunnel renegotiation.

HTH,

Please do rate if it helps.

Regards,

Kamal

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Kamal Malhotra
Cisco Employee
Cisco Employee

‎02-20-2007 08:17 AM

Hi Jason,

Basically, the phase 1 SA is for securing the pre-shared key and phase 2 policies negotiations. First the phase 1 policies are negotiated and the channel is made secure based on the phase 1 policies like encryption and hash algorithms. The phase 1 negotiation in a Site-Site scenario happnes in Main mode. In main mode a total of six packets are exchanged, 3 from each end. These packets contain different phase 1 policies like encryption algorithm, hash algorithm, diffie hellman key size, lifetime and whether nat-t is being used or not. Once these packets have been exchanged, the channel is secure using the phase 1 encryption policy. Aftre this the pre-shared key is exchanged and the phase 1 comes up. Now the phase policies are supposed to be negotiated. This negotiation happens in a secure manner using the phase channel provided by the phase 1. Once the phase 2 policies have been negotiated, the channel is made secure using the phase 2 encryption policy. All the data flowing across then is encrypted using the phase 2 policy. Please be informed that the phase 1 and phase 2 policies can be different. Its just that those have to be same on either end.

HTH,

Please let me know if you need further information.

Please do rate if it helps.

Regards,

Kamal

0 Helpful

Go to solution
jasonbailey80
Level 1
Level 1

‎02-20-2007 08:34 AM

Hi Kamal,

Thanks a lot Kamal!!! Just one question.. this was the one I was after and the reason that i have raised this question on the forum..

What are the phase 2 policies? Is it the Transform-set?

Thanks

Jason

0 Helpful

Go to solution
kaachary
Cisco Employee
Cisco Employee
In response to jasonbailey80

‎02-20-2007 08:39 AM

Hi Jason,

Phase 2 policies include...

The transform set

PFS (Perfect Forward Secrecy)

The crypto ACL and

Phase 2 Lifetime

The first three should necessarily match on both the ends for tunnel to establish.

HTH,

-Kanishka

0 Helpful

Go to solution
Kamal Malhotra
Cisco Employee
Cisco Employee
In response to kaachary

‎02-20-2007 08:44 AM

Hi Jason,

You got the answer from Kanishka. :-)

Talking of the phase 2 lifetime, even if it is not the same on both the ends, the tunnel might come up but we expect problems at the time of tunnel renegotiation.

HTH,

Please do rate if it helps.

Regards,

Kamal

0 Helpful
Customers Also Viewed These Support Documents