cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

407
Views
25
Helpful
4
Replies

IPSEC Tunnel - Understanding Phase 1 and Phase 2 in simple words

Hello Experts  @Marvin Rhoads  @Rob  @Sheraz.Salim   @balaji.bandi  @Mohammed al Baqari  @Richard Burts 

 

Whenever I configure IPsec tunnels, I checked Phase DH group and encryptions (DES/AES/SHA etc) and in Phase 2 select the local and remote subnets with same encryption.

 

What does specifically phase one does ?  on Cisco ASA which command i can use to see if phase 1 is operational/up?

 

What does specifically phase two does ? on cisco ASA which command I can use to see if phase 2 is up/operational ?

 

Thanks,

 Lovejit  

3 ACCEPTED SOLUTIONS

Accepted Solutions
Rob Ingram
VIP Mentor

Hi @LovejitSingh130013 

Phase 1 establishes an IKE Security Associations (SA) these IKE SAs are then used to securely negotiate the IPSec SAs (Phase 2). Data is transmitted securely using the IPSec SAs.

 

Phase 1 = "show crypto isakmp sa" or "show crypto ikev1 sa" or "show crypto ikev2 sa"

Phase 2 = "show crypto ipsec sa"

 

To confirm data is actually sent and received over the VPN, check the output of "show crypto ipsec sa" and confirm the counters for encaps|decaps are increasing.

View solution in original post

Sheraz.Salim
VIP Advocate

as Rob mentioned he is right.but just to put you in more specific point of direction

 

What does specifically phase one does ? on Cisco ASA which command i can use to see if phase 1 is operational/up?

- show crypto isakmp sa details | b x.x.x.x.x     where x.x.x.x is your remote peer ip address.

 

 

What does specifically phase two does ? on cisco ASA which command I can use to see if phase 2 is up/operational ?

-show crypto ipsec sa peer x.x.x.x.x

 

also you can use the command on ASA

show vpn-sessiondb detail l2l filter ipaddress x.x.x.x.x

This command will show you the in full detail of phase 1 setting and phase 2 setting.

please do not forget to rate.

View solution in original post

Marius Gunnerud
VIP Advisor

Well, just to add my two cents.

What does specifically phase one does ?  on Cisco ASA which command i can use to see if phase 1 is operational/up?

As Rob has already mentioned, this part of the process establishes a tunnel to securely agree upon the encryption keys to be used when encrypting traffic.  So I like think of this as a type of management tunnel.

commands to be used here are:

show crypto ikev1 sa

show crypto ikev2 sa

What does specifically phase two does ? on cisco ASA which command I can use to see if phase 2 is up/operational ?

This is where the VPN devices agree upon what method will be used to encrypt data traffic.  The keys, or security associations, will be exchanged using the tunnel established in phase 1.  Once this exchange is successful all data traffic will be encrypted using this second tunnel.  The only time phase 1 tunnel will be used again is for the rekeys.

commands to use:

show crypto ipsec sa peer x.x.x.x !(where x.x.x.x is the IP of the remote peer)

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

4 REPLIES 4
Rob Ingram
VIP Mentor

Hi @LovejitSingh130013 

Phase 1 establishes an IKE Security Associations (SA) these IKE SAs are then used to securely negotiate the IPSec SAs (Phase 2). Data is transmitted securely using the IPSec SAs.

 

Phase 1 = "show crypto isakmp sa" or "show crypto ikev1 sa" or "show crypto ikev2 sa"

Phase 2 = "show crypto ipsec sa"

 

To confirm data is actually sent and received over the VPN, check the output of "show crypto ipsec sa" and confirm the counters for encaps|decaps are increasing.

View solution in original post

Sheraz.Salim
VIP Advocate

as Rob mentioned he is right.but just to put you in more specific point of direction

 

What does specifically phase one does ? on Cisco ASA which command i can use to see if phase 1 is operational/up?

- show crypto isakmp sa details | b x.x.x.x.x     where x.x.x.x is your remote peer ip address.

 

 

What does specifically phase two does ? on cisco ASA which command I can use to see if phase 2 is up/operational ?

-show crypto ipsec sa peer x.x.x.x.x

 

also you can use the command on ASA

show vpn-sessiondb detail l2l filter ipaddress x.x.x.x.x

This command will show you the in full detail of phase 1 setting and phase 2 setting.

please do not forget to rate.

View solution in original post

MHM Cisco World
Collaborator

Encrypt inside Encrypt. 
first Encrypt use the Private/Public Asymmetric Algorithm to be more secure But this is very slow.
Second encrypt use mostly the PSK Symmetric Algorithm this is Fast but not so sure this is why we need the first encrypt to protect it.

Marius Gunnerud
VIP Advisor

Well, just to add my two cents.

What does specifically phase one does ?  on Cisco ASA which command i can use to see if phase 1 is operational/up?

As Rob has already mentioned, this part of the process establishes a tunnel to securely agree upon the encryption keys to be used when encrypting traffic.  So I like think of this as a type of management tunnel.

commands to be used here are:

show crypto ikev1 sa

show crypto ikev2 sa

What does specifically phase two does ? on cisco ASA which command I can use to see if phase 2 is up/operational ?

This is where the VPN devices agree upon what method will be used to encrypt data traffic.  The keys, or security associations, will be exchanged using the tunnel established in phase 1.  Once this exchange is successful all data traffic will be encrypted using this second tunnel.  The only time phase 1 tunnel will be used again is for the rekeys.

commands to use:

show crypto ipsec sa peer x.x.x.x !(where x.x.x.x is the IP of the remote peer)

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Content for Community-Ad