cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1539
Views
10
Helpful
3
Replies

IPSEC and IKE lifetime questions

wilson_1234_2
Level 3
Level 3

I have a few questions about this:

Is IKE the same as ISAKMP?

Since the ISAKMP is phase 1, this lifetime means the tunnel is going to drop out after whatever the lifetime is set to?

The IPSEc lifetime is the amount of time the encryption algoryhtm goes before rekeying?

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

Hi Wilson

IKE is not quite the same as ISAKMP. ISAKMP is one element within IKE but there are others. Think of IKE as a kind of meta protocol which comprises of

1) ISAKMP - for defining the message format for the IPSEC exchanges between peers.

2) SKEME - which is used to authenticate both sides of the communication

3) OAKLEY - used for deriving the per session encryption key

The lifetimes are pretty much what you suggest. If the tunnel is still in use when the lifetime expires it shoudl renegotiate without dropping the tunnel.

HTH

Jon

Thanks jon,

So,

1. All of IKE is phase 1?

2. All three of the components (isakmp, skeme and oakley) are ALWAYS is use during VPN communication?

Wilson

1) Yes and No. It's abit misleading because of the commands used sometimes on cisco kit but IKE has a phase 1 where it sets up a secure communication between the peers and then a phase 2 where it sets up the actual SA's to transfer the data. So IKE actually is involved in both phases.

2) Yes they are.

HTH

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: