Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2575
Views
0
Helpful
3
Replies

need help to understand IKEv1 phases

xine xine
Level 1
Level 1

‎04-02-2011 12:12 PM

Hi !

I'm currently reading about IPSEC in the "CCNP ISCW Official certifical guide".  In this book explain the fonctionnal principal of IPsec.  But from my understanding, somethings are contracditionnairy with other in the text.

in page 264 the author wrote :

IKE Phases
The IKE protocol/process is broken into two phases, which create a secure communications
channel between two IPsec endpoints. Although there are two primary and mandatory IKE phases,
there is an optional third phase. The three phases are described here:
  •  IKE phase 1 is one of the mandatory IKE phases. A bidirectional SA is established between
    IPsec peers in phase 1. This means that data sent between the end devices uses the same key
    material. Phase 1 may also perform peer authentication to validate the identity of the IPsec
    endpoints. There are two IKE modes available for IKE phase 1 to establish the bidirectional 
    SA: main mode and aggressive mode. IKE modes are described in the next section. Phase 1
    consists of parameter negotiation, such as hash methods and transform sets. The two IPsec
    peers must agree on these parameters or the IPsec connection cannot be establishe

later in the same book : (page 265)

IKE Quick Mode
Quick mode is used during IKE phase 2. The negotiation of quick mode is protected by the IKE
SA negotiated in Phase 1. Such an option is not available during main or aggressive modes,
because their function is to establish the first SA. Quick mode negotiates the SAs used for data
encryption across the IPsec connection. It also manages the key exchange for those SAs.

and on page 290

In Figure 13-5, Router A and Router B are attempting to negotiate parameters for IPsec SAs.
Assume that Router A starts the IKE phase 2 negotiation process. Router A sends to Router B its
two IPsec transform sets, 60 and 70. A single variation in any parameter makes the entire
transform set different. The same IPsec transform set can be used for SAs to many destinations,
so there is no need to create an identical transform set for each IPsec endpoint.

So transform set parameter s are nogocitated in which phase 1 or 2 ? if those parameter are negotiated in phase one what esle is negociated in phase 2 as parameter ? what can be append to make phase 2 failed ?

Also in the case on Ezclient VPN (with a router who create the VPN or the Cisco client VPN software installed on Windows computer)  fo both we defined group with group key which is validated in IKE phase 1, username and password enter in the router configuration or asked to the user is is validated in phase 1.5 ?  I didn't see any message about phase 1,5 the last time I had to trouble that kind of connection, but it was the configuration group name whith the associated key follwed by user name and password provided in the router configuration.

Thanks !

Thanks

Labels:
0 Helpful
3 Replies 3

Yudong Wu
Level 7
Level 7

‎04-02-2011 06:06 PM

transform-set parameter is negociated during phase 2.

Phase 1 will negociated the ISAKMP policy. So anything that you configured by using "crypto isakmp" will be negociated during phase 1.

Most common phase 2 fail can be caused by 1) transform-set not match 2) crypto ACL does not mirror between the peers.

xauth is checked in phase 1.5. it's something happened between phase 1 and phase 2.

0 Helpful

xine xine
Level 1
Level 1
In response to Yudong Wu

‎04-05-2011 10:28 AM

I think what is let me confuse it are thoses parameters (encription (DES, 3DES, AES), hash (MD5, SHA-1), DH group, and SA lifetime)

are negotiated twice in phase 1 inside of ISAKMP policy and in transform-set parameter in phase 2 was I understand correctly ?  I'm a bit slow to response because you're let me confuse, I'm reading a second time the chapter about IPsec I hope that will become more clear to me after this second reading ?

If it's the case, parameters negociated twice what is the benefit ? Almost if we are using same parameter....

About the phase 1.5, I know for sure it is some something appenning between phase 1 and phase 2 (the name of the phase is clear about it).  What I had asking for it was, in one of our VPN setup we are using EZVPN configuration in which the router automatically initiate VPN connection for the customer.  In this configuration we have group name and the associated key (which is probebly negociated in phase 1) and user name and password, this username password is this is negoticated in phase 1.5 ?

During debugging, we saw PHASE 1 and PHASE 2 but no label name PHASE 1.5 or something like that !

0 Helpful

Yudong Wu
Level 7
Level 7
In response to xine xine

‎04-05-2011 11:12 AM

My understanding is that phase 1 and phase 2 can use different parameter and they are for different purposes. So they are negoicated separately.

Yes, that username/password is used for xauth in EZVPN, it should be used for the authentication in phase 1.5.

Debug output won't show you phase 1.5.

0 Helpful
Customers Also Viewed These Support Documents