Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1597
Views
5
Helpful
3
Replies

Doubt about Phase 1 and Phase 2 encryption and authentication.

Go to solution
ciscolover
Level 1
Level 1

‎09-12-2017 02:13 AM - edited ‎03-12-2019 04:31 AM

Hi all,

 

I have an IPSEC tunnel created. I have some doubts about encryption and authentication of phase 1 and phase 2. 

 

With show crypto isakmp policy 10 I can see:

  • Encryption algoritm DES
  • Has MD5
  • Authentication Method Preshared KEY.

I think this is phase 1 and Is negotiated bith DES for encryption.

 

My doubt is about phase 2. What is the encryption and authentication method for phase 2. The same of phase 1? Or another?  I have a transform set with esp-des esp-md5-hmac. Maybe esp-des is the encryption method for phase 2 and esp-md5-hmac the authentication method? Or not? 

 

What is the encryption and authentication of my phase 2 tunnel? Thanks ¡¡¡

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Pawan Raut
Level 4
Level 4

‎09-12-2017 03:07 AM

the transform set is the encryption and auth method for phase 2.

on ASA you can verify the phase 1 and phase 2 parameter using below coomand

sh vpn-sessiondb l2l

 

Regards,

Pawan (CCIE#52104)

 

Kindly rate for helpful post

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Pawan Raut
Level 4
Level 4

‎09-12-2017 03:07 AM

the transform set is the encryption and auth method for phase 2.

on ASA you can verify the phase 1 and phase 2 parameter using below coomand

sh vpn-sessiondb l2l

 

Regards,

Pawan (CCIE#52104)

 

Kindly rate for helpful post

0 Helpful

Go to solution
ciscolover
Level 1
Level 1
In response to Pawan Raut

‎09-12-2017 05:07 AM - edited ‎09-12-2017 05:09 AM

Thanks for your reply.

 

I would like to create the tunnel with a FW (fortigate) and a CISCO 1841. I'm configuring the CISCO 1841.

 

The client configures the FW and for phase 2 indicates this:

Encryption AES256

Authentication SHA256.

 

I don't find exactly this encryption and authentication method in the transform set options. Maybe the correct is this? I cant' find esp-sha and the 256 option...

crypto ipsec transform-set test esp-aes 256 esp-sha-hmac

 

0 Helpful
Customers Also Viewed These Support Documents