ISAKMP is a protocol, which is actually does the negotiation between 2 hosts. ISAKMP Security Association is we call as the Phase 1 and IPSec Security Assiciation is we call as phase 2.
ISAKMP - Internet Security Association Key Management Protocol.
ISAKMP/IKE would build the Phase 1 tunnel, which later protects the ISAKMP negotiations and also it protects the IPSec Negotiations for the Phase 2 Tunnel.
Phase 2 IPSec Tunnel protects the actual data, which flows between 2 end sites.....
When the VPN is configured, If an intresting traffic is initiated and it forms the phase 1 tunnel which uses IKE/ISAKMP with its own parameters.... it checks if those are matching with each other.... like auth method, algorithm, hashing, dh group etc.... once the tunnel comes up it protects the tunnel exchange data... here it is ipsec and the further isakmp associations...... Once phase 2 is up.... it will protect the actual data traffic between two hosts i.e. communication between local lan host and remote lan host.... which you can see in sh crypto ipsec sa....
I agree with you. Initial exchange messages are not having that sensitive information of the tunnel. DH Group we define in the vpn parameters will do the encryption of the pre-shared key which we exchange. definitely that would not happen in a clear text format.... Thats what i was trying to say.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :