IKE Phase1 vs Phase 2

zimskiz · April 2014

Hello guys,

Thinking at VPN site-to-site, what options in HAGLE (HashAuthenticationDHgroupLifetimeEncryption) can be set likewise for Phase 1 & 2? If i choose for Phase 1 : md5, psk,2,200sec,3des and for Phase2 : sha,rsa,100sec,des should be everything ok ?

SecurityThroughObscurity · April 2014

kinda weak.

bertieb · April 2014

I wouldn't use 3DES and MD5 hashing on any phase across any of my VPN's personally. Use something far stronger. And if your endpoints don't support anything above 3DES, they really need to be upgraded.

zimskiz · April 2014

I think you didn't get it....i just want to know in theory, if options set in phase 1 should be the same in the phase 2.

EdTheLad · April 2014

No, both are independent of each other.

zimskiz · April 2014

I;ve saw in a small video from cbt nuggets that he set for Phase 1 (md5, psk,2,200sec,3des) and for Phase 2 the choose was to use the same authentication and diffie hellman group. Can you do that for every parameter? Theres a rule ?

EdTheLad · April 2014

The rule is, go and study the technology before you come asking questions here. At least make a little effort to try and understand how the technology works.

theodoxa · April 2014

bertieb wrote: »

I wouldn't use 3DES and MD5 hashing on any phase across any of my VPN's personally. Use something far stronger. And if your endpoints don't support anything above 3DES, they really need to be upgraded.

I know this is for IPSec, but just a something of interest. When I removed everything but AES256-SHA1 from my SSL settings (I use SSL VPN for remote accesss) a while back, it broke ASDM. I had to add 3DES-SHA1 back in order to get ASDM to work again.

IKE Phase1 vs Phase 2

Comments