IPsec Problem

brajesh.kumar · ‎05-01-2004

Hi There

Some Doubts regarding Ipsec process.

According to Cisco Pix firewall book by Richard A.Deal,the Ipsec process in snapshot is as ..

1.IKE phase 1

A.Initial exchange:main or aggresive mode

B.Identity Authentication

#Pre-share Keys

#RSA encrypted nonces

#RSA signatures

C.Diffie-Hellman

D.Exchange of managment transform sets

E.Creation of management connection

2.IKE Phase 2

A.Exchange of user transform sets using quick mode

B.Creation of user connection

C.Periodically refreshing keys for connections

My doubts

1.There is no mention of management connection(Ike phase 1) and

user connection(IKE phase 2) in cisco press book.

Is it wrong?

2.It says that Diffie-Hellman is used to setup a temporary secure connection between the two peers so that they can share the keying information across the connection.

What is the keying information they share?

Since the Diffie-Hellman process occurs after main/aggresive mode( in which IPSec security policies that are to be used for management connection are negotiated)which already decide what to use like DES/3DES,MD5/SHA,DH group1/Group2 etc.

3.It also says that one of the function of IKE phase 2 is to periodically generate new keying information.

Is in this process DES/3DEs keys are produced by Diffie-Hellman Itself?

Thanks.

Brajesh.

jmia · ‎05-01-2004

Hello Brajesh,

Sorry have little time to explain your questions but if you require vpn configuration examples then use the following documents -

For site-to-site using ipsec, read this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

and this document will help with using the vpn client :

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

Hope this helps.

Jay.