Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2001
Views
0
Helpful
1
Replies

Can anyone explain why Phase 1 is bidirectional and Phase 2 is unidirectional in IPSEC VPN.

maheshpula109
Level 1
Level 1

‎04-16-2019 06:19 PM - edited ‎02-21-2020 09:02 AM

Can anyone explain why Phase 1 is bidirectional and Phase 2 is unidirectional in IPSEC VPN. I read in one book that Phase 1 uses shared symmetric key generated by DH and both peers uses same key hence it is bidirectional. so in phase 2, are we using 2 different keys from encryption and decryption. Can someone explain it to me how phase 2 get 2 different keys in a simpler language.

1 person had this problem
0 Helpful
1 Reply 1

Mohammed al Baqari
Level 11
Level 11

‎04-17-2019 12:33 AM

That is not accurate.

In phase 1 dh generates 3 sub keys SKe, SKa SKd. SKd will be generated 1st
to obtain SKe and SKd. If PFS is off, then you use same keys for phase two
encryption/hashing and you don't generate new sub keys. If you have PFS on
then new set of sub keys generated.

Different encryption/decryption keys is the case when using certificate
authentication.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card