topic Re: IPSEC Tunnel - Understanding Phase 1 and Phase 2 in simple words in Network Security

IPSEC Tunnel - Understanding Phase 1 and Phase 2 in simple words

LovejitSingh130013 — Mon, 19 Apr 2021 16:10:58 GMT

Hello Experts @Marvin Rhoads @Rob @Sheraz.Salim @balaji.bandi @Mohammed al Baqari @Richard Burts

Whenever I configure IPsec tunnels, I checked Phase DH group and encryptions (DES/AES/SHA etc) and in Phase 2 select the local and remote subnets with same encryption.

What does specifically phase one does ? on Cisco ASA which command i can use to see if phase 1 is operational/up?

What does specifically phase two does ? on cisco ASA which command I can use to see if phase 2 is up/operational ?

Thanks,

Lovejit

Re: IPSEC Tunnel - Understanding Phase 1 and Phase 2 in simple words

Rob Ingram — Mon, 19 Apr 2021 16:26:49 GMT

Hi @LovejitSingh130013

Phase 1 establishes an IKE Security Associations (SA) these IKE SAs are then used to securely negotiate the IPSec SAs (Phase 2). Data is transmitted securely using the IPSec SAs.

Phase 1 = "show crypto isakmp sa" or "show crypto ikev1 sa" or "show crypto ikev2 sa"

Phase 2 = "show crypto ipsec sa"

To confirm data is actually sent and received over the VPN, check the output of "show crypto ipsec sa" and confirm the counters for encaps|decaps are increasing.

Re: IPSEC Tunnel - Understanding Phase 1 and Phase 2 in simple words

Sheraz.Salim — Mon, 19 Apr 2021 20:10:39 GMT

as Rob mentioned he is right.but just to put you in more specific point of direction

What does specifically phase one does ? on Cisco ASA which command i can use to see if phase 1 is operational/up?

- show crypto isakmp sa details | b x.x.x.x.x where x.x.x.x is your remote peer ip address.

What does specifically phase two does ? on cisco ASA which command I can use to see if phase 2 is up/operational ?

-show crypto ipsec sa peer x.x.x.x.x

also you can use the command on ASA

show vpn-sessiondb detail l2l filter ipaddress x.x.x.x.x

This command will show you the in full detail of phase 1 setting and phase 2 setting.

Re: IPSEC Tunnel - Understanding Phase 1 and Phase 2 in simple words

MHM Cisco World — Tue, 20 Apr 2021 01:02:01 GMT

Encrypt inside Encrypt.
first Encrypt use the Private/Public Asymmetric Algorithm to be more secure But this is very slow.
Second encrypt use mostly the PSK Symmetric Algorithm this is Fast but not so sure this is why we need the first encrypt to protect it.

Re: IPSEC Tunnel - Understanding Phase 1 and Phase 2 in simple words

Marius Gunnerud — Tue, 20 Apr 2021 12:38:45 GMT

Well, just to add my two cents.

What does specifically phase one does ? on Cisco ASA which command i can use to see if phase 1 is operational/up?

As Rob has already mentioned, this part of the process establishes a tunnel to securely agree upon the encryption keys to be used when encrypting traffic. So I like think of this as a type of management tunnel.

commands to be used here are:

show crypto ikev1 sa

show crypto ikev2 sa

What does specifically phase two does ? on cisco ASA which command I can use to see if phase 2 is up/operational ?

This is where the VPN devices agree upon what method will be used to encrypt data traffic. The keys, or security associations, will be exchanged using the tunnel established in phase 1. Once this exchange is successful all data traffic will be encrypted using this second tunnel. The only time phase 1 tunnel will be used again is for the rekeys.

commands to use:

show crypto ipsec sa peer x.x.x.x !(where x.x.x.x is the IP of the remote peer)