Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
284
Views
0
Helpful
2
Replies

IPSec KEY Generation

Go to solution
Teck Sing
Level 1
Level 1

‎04-03-2024 06:54 AM

Dear Experts

In some documents I saw three keys will be generated in packets 3-4 in IKEv1 phase 1, can anyone please explain in detail which three keys are generated? And which key is for phase1 packets 5-6, which one is for phase two? 

Thanks

- Teck Sing

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
2 Replies 2

Go to solution
Teck Sing
Level 1
Level 1

‎04-10-2024 09:33 PM

Thanks a lot, MHM. Sorry for late thank at first as I've read some more documents linked from this article. 

Now I know "the IPsec symmetrical keys are derived from this DH key shared between the peers, at no point are symmetric keys actually exchanged." 

In phase I, DH will create a same shared secret on both peers, but this "shared secret" is not used for any encryption. Both peers will compute a new key from this "shared secret" as a base-key individually, and further derive other three keys: SKEYID_d, SKEYID_a and SKEYID_e from this base-key individually. Actually, these three keys are used for subsequent steps. 

If PFS is enabled, another DH process will occur during phase II, and new symmetric key for data encryption will be generated. 

Please correct me if my understanding is incorrect.

Thanks

- Teck Sing

 

0 Helpful
Customers Also Viewed These Support Documents