2665
Views
0
Helpful
1
Replies
Can anyone explain why Phase 1 is bidirectional and Phase 2 is unidirectional in IPSEC VPN.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-16-2019 06:19 PM - edited 02-21-2020 09:02 AM
Can anyone explain why Phase 1 is bidirectional and Phase 2 is unidirectional in IPSEC VPN. I read in one book that Phase 1 uses shared symmetric key generated by DH and both peers uses same key hence it is bidirectional. so in phase 2, are we using 2 different keys from encryption and decryption. Can someone explain it to me how phase 2 get 2 different keys in a simpler language.
Labels:
1 Reply 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2019 12:33 AM
That is not accurate.
In phase 1 dh generates 3 sub keys SKe, SKa SKd. SKd will be generated 1st
to obtain SKe and SKd. If PFS is off, then you use same keys for phase two
encryption/hashing and you don't generate new sub keys. If you have PFS on
then new set of sub keys generated.
Different encryption/decryption keys is the case when using certificate
authentication.
In phase 1 dh generates 3 sub keys SKe, SKa SKd. SKd will be generated 1st
to obtain SKe and SKd. If PFS is off, then you use same keys for phase two
encryption/hashing and you don't generate new sub keys. If you have PFS on
then new set of sub keys generated.
Different encryption/decryption keys is the case when using certificate
authentication.
