Can anyone explain why Phase 1 is bidirectional and Phase 2 is unidirectional in IPSEC VPN.

maheshpula109 · ‎04-16-2019

Can anyone explain why Phase 1 is bidirectional and Phase 2 is unidirectional in IPSEC VPN. I read in one book that Phase 1 uses shared symmetric key generated by DH and both peers uses same key hence it is bidirectional. so in phase 2, are we using 2 different keys from encryption and decryption. Can someone explain it to me how phase 2 get 2 different keys in a simpler language.

Mohammed al Baqari · ‎04-17-2019

That is not accurate.

In phase 1 dh generates 3 sub keys SKe, SKa SKd. SKd will be generated 1st
to obtain SKe and SKd. If PFS is off, then you use same keys for phase two
encryption/hashing and you don't generate new sub keys. If you have PFS on
then new set of sub keys generated.

Different encryption/decryption keys is the case when using certificate
authentication.

Can anyone explain why Phase 1 is bidirectional and Phase 2 is unidirectional in IPSEC VPN.

[Q&A 集公開] 1/22 開催 Catalyst SD-WAN - Layer 2 VPN

リモートアクセス VPN 接続で Phase 1 failure のエラー

DMVPN Phase 1

Catalyst SD-WAN : Generic SIGを用いたSecure AccessとのIPsec VPNの確立

[Q&A 集公開] 1/24 開催 IPsec VPN 概要とトラブルシューティング