Can anyone explain why Phase 1 is bidirectional and Phase 2 is unidirectional in IPSEC VPN. I read in one book that Phase 1 uses shared symmetric key generated by DH and both peers uses same key hence it is bidirectional. so in phase 2, are we using 2 different keys from encryption and decryption. Can someone explain it to me how phase 2 get 2 different keys in a simpler language.
In phase 1 dh generates 3 sub keys SKe, SKa SKd. SKd will be generated 1st to obtain SKe and SKd. If PFS is off, then you use same keys for phase two encryption/hashing and you don't generate new sub keys. If you have PFS on then new set of sub keys generated.
Different encryption/decryption keys is the case when using certificate authentication.