IKE Phase1 vs Phase 2

Hello guys,

Thinking at VPN site-to-site, what options in HAGLE (HashAuthenticationDHgroupLifetimeEncryption) can be set likewise for Phase 1 & 2? If i choose for Phase 1 : md5, psk,2,200sec,3des and for Phase2 : sha,rsa,100sec,des should be everything ok ?

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

SecurityThroughObscurity

kinda weak.

bertieb

I wouldn't use 3DES and MD5 hashing on any phase across any of my VPN's personally. Use something far stronger. And if your endpoints don't support anything above 3DES, they really need to be upgraded.

zimskiz

I think you didn't get it....i just want to know in theory, if options set in phase 1 should be the same in the phase 2.

EdTheLad

No, both are independent of each other.

zimskiz

I;ve saw in a small video from cbt nuggets that he set for Phase 1 (md5, psk,2,200sec,3des) and for Phase 2 the choose was to use the same authentication and diffie hellman group. Can you do that for every parameter? Theres a rule ?

EdTheLad

The rule is, go and study the technology before you come asking questions here. At least make a little effort to try and understand how the technology works.

theodoxa

bertieb wrote: »

I wouldn't use 3DES and MD5 hashing on any phase across any of my VPN's personally. Use something far stronger. And if your endpoints don't support anything above 3DES, they really need to be upgraded.

I know this is for IPSec, but just a something of interest. When I removed everything but AES256-SHA1 from my SSL settings (I use SSL VPN for remote accesss) a while back, it broke ASDM. I had to add 3DES-SHA1 back in order to get ASDM to work again.