Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

What is the purpose of ISAKMP tunnel?

Hi,

Kindly expalain the purpose of ISAKMP tunnel.....what duties does it perform after establishment ?

5 REPLIES

Hi, ISAKMP is a protocol,

Hi,

 

ISAKMP is a protocol, which is actually does the negotiation between 2 hosts. ISAKMP Security Association is we call as the Phase 1 and IPSec Security Assiciation is we call as phase 2.

 

ISAKMP - Internet Security Association Key Management Protocol.

 

ISAKMP/IKE would build the Phase 1 tunnel, which later protects the ISAKMP negotiations and also it protects the IPSec Negotiations for the Phase 2 Tunnel.

 

Phase 2 IPSec Tunnel protects the actual data, which flows between 2 end sites.....

 

When the VPN is configured, If an intresting traffic is initiated and it forms the phase 1 tunnel which uses IKE/ISAKMP with its own parameters.... it checks if those are matching with each other.... like auth method, algorithm, hashing, dh group etc.... once the tunnel comes up it protects the tunnel exchange data... here it is ipsec and the further isakmp associations...... Once phase 2 is up.... it will protect the actual data traffic between two hosts i.e. communication between local lan host and remote lan host.... which you can see in sh crypto ipsec sa....

 

Regards

Karthik

New Member

Hi,From ur explanation what I

Hi,

From ur explanation what I understand is PHASE 1 tunnel is used to protect the negotiation of parameters between the peers for PHASE 2 tunnel....Right?

Also kindly confirm that the parameters for PHASE 1 are send in clear text between the peers or not ?

Regards.

 

  

Hi Mitesh, It will not happen

Hi Mitesh,

 

It will not happen in clear text and it has the defined encryption method to negotiate and exchange the phase 1 parameters.....

sample debug for isakmp, which happens during negotiation.

Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing ID payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing hash payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Computing hash for ISAKMP
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing VID payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Received DPD VID
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, Connection landed on tunnel_group 172.16.2.2
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Oakley begin quick mode
Jul 24 13:06:03 [IKEv1]Group = 172.16.2.2, IP = 172.16.2.2, PHASE 1 COMPLETED

 

Regards

Karthik

Cisco Employee

Karthik, You need to perform

Karthik, 

You need to perform DH exchange to have a key capable of protecting IKE. 

Initial messages are not encrypted.

M.

Hi Marcin, I agree with you.

Hi Marcin,

 

I agree with you. Initial exchange messages are not having that sensitive information of the tunnel. DH Group we define in the vpn parameters will do the encryption of the pre-shared key which we exchange. definitely that would not happen in a clear text format.... Thats what i was trying to say.

 

Regards

Karthik

63
Views
5
Helpful
5
Replies
CreatePlease login to create content