07-20-2007 12:29 PM - edited 02-21-2020 03:10 PM
I have a few questions about this:
Is IKE the same as ISAKMP?
Since the ISAKMP is phase 1, this lifetime means the tunnel is going to drop out after whatever the lifetime is set to?
The IPSEc lifetime is the amount of time the encryption algoryhtm goes before rekeying?
07-21-2007 04:42 AM
Hi Wilson
IKE is not quite the same as ISAKMP. ISAKMP is one element within IKE but there are others. Think of IKE as a kind of meta protocol which comprises of
1) ISAKMP - for defining the message format for the IPSEC exchanges between peers.
2) SKEME - which is used to authenticate both sides of the communication
3) OAKLEY - used for deriving the per session encryption key
The lifetimes are pretty much what you suggest. If the tunnel is still in use when the lifetime expires it shoudl renegotiate without dropping the tunnel.
HTH
Jon
07-21-2007 04:55 AM
Thanks jon,
So,
1. All of IKE is phase 1?
2. All three of the components (isakmp, skeme and oakley) are ALWAYS is use during VPN communication?
07-21-2007 05:01 AM
Wilson
1) Yes and No. It's abit misleading because of the commands used sometimes on cisco kit but IKE has a phase 1 where it sets up a secure communication between the peers and then a phase 2 where it sets up the actual SA's to transfer the data. So IKE actually is involved in both phases.
2) Yes they are.
HTH
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: