Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSEC and IKE lifetime questions

I have a few questions about this:

Is IKE the same as ISAKMP?

Since the ISAKMP is phase 1, this lifetime means the tunnel is going to drop out after whatever the lifetime is set to?

The IPSEc lifetime is the amount of time the encryption algoryhtm goes before rekeying?

3 REPLIES
Hall of Fame Super Blue

Re: IPSEC and IKE lifetime questions

Hi Wilson

IKE is not quite the same as ISAKMP. ISAKMP is one element within IKE but there are others. Think of IKE as a kind of meta protocol which comprises of

1) ISAKMP - for defining the message format for the IPSEC exchanges between peers.

2) SKEME - which is used to authenticate both sides of the communication

3) OAKLEY - used for deriving the per session encryption key

The lifetimes are pretty much what you suggest. If the tunnel is still in use when the lifetime expires it shoudl renegotiate without dropping the tunnel.

HTH

Jon

New Member

Re: IPSEC and IKE lifetime questions

Thanks jon,

So,

1. All of IKE is phase 1?

2. All three of the components (isakmp, skeme and oakley) are ALWAYS is use during VPN communication?

Hall of Fame Super Blue

Re: IPSEC and IKE lifetime questions

Wilson

1) Yes and No. It's abit misleading because of the commands used sometimes on cisco kit but IKE has a phase 1 where it sets up a secure communication between the peers and then a phase 2 where it sets up the actual SA's to transfer the data. So IKE actually is involved in both phases.

2) Yes they are.

HTH

Jon

999
Views
10
Helpful
3
Replies