04-02-2011 12:12 PM
Hi !
I'm currently reading about IPSEC in the "CCNP ISCW Official certifical guide". In this book explain the fonctionnal principal of IPsec. But from my understanding, somethings are contracditionnairy with other in the text.
in page 264 the author wrote :
IKE Phases
The IKE protocol/process is broken into two phases, which create a secure communications
channel between two IPsec endpoints. Although there are two primary and mandatory IKE phases,
there is an optional third phase. The three phases are described here:
later in the same book : (page 265)
IKE Quick Mode
Quick mode is used during IKE phase 2. The negotiation of quick mode is protected by the IKE
SA negotiated in Phase 1. Such an option is not available during main or aggressive modes,
because their function is to establish the first SA. Quick mode negotiates the SAs used for data
encryption across the IPsec connection. It also manages the key exchange for those SAs.
and on page 290
In Figure 13-5, Router A and Router B are attempting to negotiate parameters for IPsec SAs.
Assume that Router A starts the IKE phase 2 negotiation process. Router A sends to Router B its
two IPsec transform sets, 60 and 70. A single variation in any parameter makes the entire
transform set different. The same IPsec transform set can be used for SAs to many destinations,
so there is no need to create an identical transform set for each IPsec endpoint.
So transform set parameter s are nogocitated in which phase 1 or 2 ? if those parameter are negotiated in phase one what esle is negociated in phase 2 as parameter ? what can be append to make phase 2 failed ?
Also in the case on Ezclient VPN (with a router who create the VPN or the Cisco client VPN software installed on Windows computer) fo both we defined group with group key which is validated in IKE phase 1, username and password enter in the router configuration or asked to the user is is validated in phase 1.5 ? I didn't see any message about phase 1,5 the last time I had to trouble that kind of connection, but it was the configuration group name whith the associated key follwed by user name and password provided in the router configuration.
Thanks !
Thanks
04-02-2011 06:06 PM
transform-set parameter is negociated during phase 2.
Phase 1 will negociated the ISAKMP policy. So anything that you configured by using "crypto isakmp" will be negociated during phase 1.
Most common phase 2 fail can be caused by 1) transform-set not match 2) crypto ACL does not mirror between the peers.
xauth is checked in phase 1.5. it's something happened between phase 1 and phase 2.
04-05-2011 10:28 AM
I think what is let me confuse it are thoses parameters (encription (DES, 3DES, AES), hash (MD5, SHA-1), DH group, and SA lifetime)
are negotiated twice in phase 1 inside of ISAKMP policy and in transform-set parameter in phase 2 was I understand correctly ? I'm a bit slow to response because you're let me confuse, I'm reading a second time the chapter about IPsec I hope that will become more clear to me after this second reading ?
If it's the case, parameters negociated twice what is the benefit ? Almost if we are using same parameter....
About the phase 1.5, I know for sure it is some something appenning between phase 1 and phase 2 (the name of the phase is clear about it). What I had asking for it was, in one of our VPN setup we are using EZVPN configuration in which the router automatically initiate VPN connection for the customer. In this configuration we have group name and the associated key (which is probebly negociated in phase 1) and user name and password, this username password is this is negoticated in phase 1.5 ?
During debugging, we saw PHASE 1 and PHASE 2 but no label name PHASE 1.5 or something like that !
04-05-2011 11:12 AM
My understanding is that phase 1 and phase 2 can use different parameter and they are for different purposes. So they are negoicated separately.
Yes, that username/password is used for xauth in EZVPN, it should be used for the authentication in phase 1.5.
Debug output won't show you phase 1.5.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide