IKE Phase1 vs Phase 2

zimskizzimskiz Member Posts: 98 ■■□□□□□□□□
Hello guys,

Thinking at VPN site-to-site, what options in HAGLE (HashAuthenticationDHgroupLifetimeEncryption) can be set likewise for Phase 1 & 2? If i choose for Phase 1 : md5, psk,2,200sec,3des and for Phase2 : sha,rsa,100sec,des should be everything ok ?

Comments

  • SecurityThroughObscuritySecurityThroughObscurity Member Posts: 212 ■■■□□□□□□□
  • bertiebbertieb Member Posts: 1,031 ■■■■■■□□□□
    I wouldn't use 3DES and MD5 hashing on any phase across any of my VPN's personally. Use something far stronger. And if your endpoints don't support anything above 3DES, they really need to be upgraded.
    The trouble with quotes on the internet is that you can never tell if they are genuine - Abraham Lincoln
  • zimskizzimskiz Member Posts: 98 ■■□□□□□□□□
    I think you didn't get it....i just want to know in theory, if options set in phase 1 should be the same in the phase 2.
  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    No, both are independent of each other.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • zimskizzimskiz Member Posts: 98 ■■□□□□□□□□
    I;ve saw in a small video from cbt nuggets that he set for Phase 1 (md5, psk,2,200sec,3des) and for Phase 2 the choose was to use the same authentication and diffie hellman group. Can you do that for every parameter? Theres a rule ?
  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    The rule is, go and study the technology before you come asking questions here. At least make a little effort to try and understand how the technology works.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • theodoxatheodoxa Member Posts: 1,340 ■■■■□□□□□□
    bertieb wrote: »
    I wouldn't use 3DES and MD5 hashing on any phase across any of my VPN's personally. Use something far stronger. And if your endpoints don't support anything above 3DES, they really need to be upgraded.

    I know this is for IPSec, but just a something of interest. When I removed everything but AES256-SHA1 from my SSL settings (I use SSL VPN for remote accesss) a while back, it broke ASDM. I had to add 3DES-SHA1 back in order to get ASDM to work again.
    R&S: CCENT CCNA CCNP CCIE [ ]
    Security: CCNA [ ]
    Virtualization: VCA-DCV [ ]
Sign In or Register to comment.