This document explains how the encryption algorithm and encryption key are used to build an IPsec tunnel.
Following options are available for Phase 1 and Phase 2 configuration: Phase 1: Authentication <pre-share, rsa-encr, rsa-sig > Encryption <3des, aes, des> DH group < Diffie-Hellman group 1/2/5> Hash <md5, sha> Peer IP Shared secret
When interesting traffic is generated on Router A (126.96.36.199), it initiates the phase 1 exchange with Router B (188.8.131.52):
Phase1: Step 1 (Un-encrypted): Encryption Algorithm <3DES >, Hash algorithm <MD5>, DH group <group 5> and authentication method <pre-share> are agreed upon with the peer IP <184.108.40.206>
Step 2 (Un-encrypted): DH algorithm calculates a private key and public key on both the routers. Each router exchanges its public key with the peer. Now each peer calculates a symmetric key <KEY-A> using its own private key and peers public key.
Step 3 (Encrypted (3DES), Hashed (MD5), symmetric key <KEY-A>): Encryption Algorithm <3DES > and Hash algorithm <MD5> use the symmetric key <KEY-A> created in step 2 to encrypt and hash the data transmitted, the data during this exchange is the shared secret <123ABCD > to authenticate the peer <220.127.116.11>.
Phase2: Step 4 (Encrypted (3DES), Hashed (MD5), symmetric key <KEY-A>): Here the protocol (ESP) and encryption (AES) and hashing (SHA) algorithm is agreed upon as configured for phase 2. In addition, additional keying material is exchanged. These data exchanged is encrypted and hashed in same way as in step 3. i.e. Encryption Algorithm <AES> and Hash algorithm <MD5> use the symmetric key <KEY-A>.
Step 5 (Encrypted (AES), Hashed (SHA), symmetric key <KEY-B>): Additional Key material exchanged in step 4 is combined with symmetric key <KEY-A> generated in step 2 to produce a new symmetric key <KEY-B>. From now on, all the data will be encrypted with encryption (AES) and hashing (SHA) algorithm using the symmetric key <KEY-B> and the protocol ESP.