IPSec VPN

pham0329

I would post this in the CCNA security forum, but that board seems dead. Anyhow, I'm a little confused regarding the encryption used in IKE phase 1, and the one used in IKE Phase 2...mainly, why are we specifying the encryption/hashing method 2x?

I guess, my question is, when you define a isakmp policy, and specify the encryption, hash, and authentication methods, what are those actually used for? It appears that the encryption/hashing method in the transform set is what's actually encrypting the host-to-host data.

cisco_trooper

IKE Phase I
Authenticates and protects the identities of the IPSec peers
Negotiates a matching IKE SA policy between peers to protect the IKE exchange
Performs an authenticated Diffie-Hellman exchange with the end result of having matching shared secret keys
Sets up a secure tunnel to negotiate IKE phase 2 parameters

In short, IKE Phase I authenticates each IPSec peer and builds a tunnel over which a secure diffie-hellman exchange can occur so that the Phase II SAs are as secure as possible.

IKE Phase II
Negotiates IPSec SA parameters protected by an existing IKE SA
Establishes IPSec security associations
Periodically renegotiates IPSec SAs to ensure security
Optionally performs an additional Diffie-Hellman exchange

In short IKE Phase II builds the host to host SAs over/through the IKE Phase I tunnel and can also perform another Diffie-Hellman exchange if PFS (Perfect Forwarding Secrecy) is enabled.

Hope that helps.

DragonNOA1

I've read that it really screws with hackers to use different encryption methods for each phase, though having the same is definitely the most common.

cisco_trooper

It really helps to use PFS because you get the extra DH exchange going.

lon21

cisco_trooper wrote: »

It really helps to use PFS because you get the extra DH exchange going.

Sorry what is PFS?

jibbajabba

lon21 wrote: »

Sorry what is PFS?

*googles*

Perfect Forward Secrecy

VPN Ports and LAN-to-LAN Tunnels  [Support] - Cisco Systems